[Baseline] Store constant directly in emit_op_mov
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [Baseline] Store constant directly in emit_op_mov
4         https://bugs.webkit.org/show_bug.cgi?id=186182
5
6         Reviewed by Saam Barati.
7
8         In the old code, we first move a constant to a register and store it to the specified address.
9         But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
10         generated code size. Since the old code was emitting a constant in a code anyway, this change
11         never increases the size of the generated code.
12
13         * jit/JITInlines.h:
14         (JSC::JIT::emitGetVirtualRegister):
15         We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
16         from the stack. If we transfer values in registers without loading values from the stack, it
17         breaks this assumption.
18
19         * jit/JITOpcodes.cpp:
20         (JSC::JIT::emit_op_mov):
21
22 2018-05-31  Caio Lima  <ticaiolima@gmail.com>
23
24         [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
25         https://bugs.webkit.org/show_bug.cgi?id=185929
26
27         Reviewed by Yusuke Suzuki.
28
29         This patch is introducing support to BigInt operands into ">=" and
30         "<=" operators.
31         Here we introduce ```bigIntCompareResult``` that is a helper function
32         to reuse code between "less than" and "less than or equal" operators.
33
34         * runtime/JSBigInt.h:
35         * runtime/Operations.h:
36         (JSC::bigIntCompareResult):
37         (JSC::bigIntCompare):
38         (JSC::jsLess):
39         (JSC::jsLessEq):
40         (JSC::bigIntCompareLess): Deleted.
41
42 2018-05-31  Saam Barati  <sbarati@apple.com>
43
44         Cache toString results for CoW arrays
45         https://bugs.webkit.org/show_bug.cgi?id=186160
46
47         Reviewed by Keith Miller.
48
49         This patch makes it so that we cache the result of toString on
50         arrays with a CoW butterfly. This cache lives on Heap and is
51         cleared after every GC. We only cache the toString result when
52         the CoW butterfly doesn't have a hole (currently, all CoW arrays
53         have a hole, but this isn't an invariant we want to rely on). The
54         reason for this is that if there is a hole, the value may be loaded
55         from the prototype, and the cache may produce a stale result.
56         
57         This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
58         progression on ARES.
59
60         * heap/Heap.cpp:
61         (JSC::Heap::finalize):
62         (JSC::Heap::addCoreConstraints):
63         * heap/Heap.h:
64         * runtime/ArrayPrototype.cpp:
65         (JSC::canUseFastJoin):
66         (JSC::holesMustForwardToPrototype):
67         (JSC::isHole):
68         (JSC::containsHole):
69         (JSC::fastJoin):
70         (JSC::arrayProtoFuncToString):
71
72 2018-05-31  Saam Barati  <sbarati@apple.com>
73
74         PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
75         https://bugs.webkit.org/show_bug.cgi?id=186169
76
77         Reviewed by Mark Lam.
78
79         If we don't do this, the CFA validation rule about StructureID being
80         clobbered but AI not clobbering or folding a clobber will cause us
81         to crash. Simon was running into this yesterday on arstechnica.com.
82         I couldn't come up with a test case for this, but it's obvious
83         what the issue is by looking at the IR dump at the time of the crash.
84
85         * dfg/DFGAbstractInterpreterInlines.h:
86         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
87
88 2018-05-31  Saam Barati  <sbarati@apple.com>
89
90         JSImmutableButterfly should align its variable storage
91         https://bugs.webkit.org/show_bug.cgi?id=186159
92
93         Reviewed by Mark Lam.
94
95         I'm also making the use of reinterpret_cast and bitwise_cast consistent
96         inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
97
98         * runtime/JSImmutableButterfly.h:
99         (JSC::JSImmutableButterfly::toButterfly const):
100         (JSC::JSImmutableButterfly::fromButterfly):
101         (JSC::JSImmutableButterfly::offsetOfData):
102         (JSC::JSImmutableButterfly::allocationSize):
103
104 2018-05-31  Keith Miller  <keith_miller@apple.com>
105
106         DFGArrayModes needs to know more about CoW arrays
107         https://bugs.webkit.org/show_bug.cgi?id=186162
108
109         Reviewed by Filip Pizlo.
110
111         This patch fixes two issues in DFGArrayMode.
112
113         1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
114         2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
115         to vend an accurate original structure.
116
117         Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
118         we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
119         action it is expecting when being dumped.
120
121         * bytecode/ArrayProfile.h:
122         (JSC::hasSeenWritableArray):
123         * dfg/DFGArrayMode.cpp:
124         (JSC::DFG::ArrayMode::fromObserved):
125         (JSC::DFG::ArrayMode::refine const):
126         (JSC::DFG::ArrayMode::originalArrayStructure const):
127         (JSC::DFG::arrayActionToString):
128         (JSC::DFG::arrayClassToString):
129         (JSC::DFG::ArrayMode::dump const):
130         (WTF::printInternal):
131         * dfg/DFGArrayMode.h:
132         (JSC::DFG::ArrayMode::withProfile const):
133         (JSC::DFG::ArrayMode::isJSArray const):
134         (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
135         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
136         * dfg/DFGByteCodeParser.cpp:
137         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
138         (JSC::DFG::ByteCodeParser::parseBlock):
139         * dfg/DFGFixupPhase.cpp:
140         (JSC::DFG::FixupPhase::fixupNode):
141         * dfg/DFGSpeculativeJIT.cpp:
142         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
143         * ftl/FTLLowerDFGToB3.cpp:
144         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
145
146 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
147
148         [JSC] Pass VM& parameter as much as possible
149         https://bugs.webkit.org/show_bug.cgi?id=186085
150
151         Reviewed by Saam Barati.
152
153         JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
154         For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
155         If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
156         This patch attempts to pass VM& parameter to such functions as much as possible.
157
158         * API/APICast.h:
159         (toJS):
160         (toJSForGC):
161         * API/JSCallbackObjectFunctions.h:
162         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
163         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
164         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
165         * API/JSObjectRef.cpp:
166         (JSObjectIsConstructor):
167         * API/JSTypedArray.cpp:
168         (JSObjectGetTypedArrayBuffer):
169         * API/JSValueRef.cpp:
170         (JSValueIsInstanceOfConstructor):
171         * bindings/ScriptFunctionCall.cpp:
172         (Deprecated::ScriptFunctionCall::call):
173         * bindings/ScriptValue.cpp:
174         (Inspector::jsToInspectorValue):
175         * bytecode/AccessCase.cpp:
176         (JSC::AccessCase::generateImpl):
177         * bytecode/CodeBlock.cpp:
178         (JSC::CodeBlock::CodeBlock):
179         * bytecode/ObjectAllocationProfileInlines.h:
180         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
181         * bytecode/ObjectPropertyConditionSet.cpp:
182         (JSC::generateConditionsForInstanceOf):
183         * bytecode/PropertyCondition.cpp:
184         (JSC::PropertyCondition::isWatchableWhenValid const):
185         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
186         * bytecode/StructureStubClearingWatchpoint.cpp:
187         (JSC::StructureStubClearingWatchpoint::fireInternal):
188         * debugger/Debugger.cpp:
189         (JSC::Debugger::detach):
190         * debugger/DebuggerScope.cpp:
191         (JSC::DebuggerScope::create):
192         (JSC::DebuggerScope::put):
193         (JSC::DebuggerScope::deleteProperty):
194         (JSC::DebuggerScope::getOwnPropertyNames):
195         (JSC::DebuggerScope::defineOwnProperty):
196         * dfg/DFGAbstractInterpreterInlines.h:
197         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
198         * dfg/DFGAbstractValue.cpp:
199         (JSC::DFG::AbstractValue::mergeOSREntryValue):
200         * dfg/DFGArgumentsEliminationPhase.cpp:
201         * dfg/DFGArrayMode.cpp:
202         (JSC::DFG::ArrayMode::refine const):
203         * dfg/DFGByteCodeParser.cpp:
204         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
205         (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
206         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
207         (JSC::DFG::ByteCodeParser::check):
208         * dfg/DFGConstantFoldingPhase.cpp:
209         (JSC::DFG::ConstantFoldingPhase::foldConstants):
210         (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
211         * dfg/DFGFixupPhase.cpp:
212         (JSC::DFG::FixupPhase::fixupNode):
213         * dfg/DFGGraph.cpp:
214         (JSC::DFG::Graph::tryGetConstantProperty):
215         * dfg/DFGOperations.cpp:
216         * dfg/DFGSpeculativeJIT.cpp:
217         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
218         * dfg/DFGStrengthReductionPhase.cpp:
219         (JSC::DFG::StrengthReductionPhase::handleNode):
220         * ftl/FTLLowerDFGToB3.cpp:
221         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
222         * ftl/FTLOperations.cpp:
223         (JSC::FTL::operationPopulateObjectInOSR):
224         * inspector/InjectedScriptManager.cpp:
225         (Inspector::InjectedScriptManager::createInjectedScript):
226         * inspector/JSJavaScriptCallFrame.cpp:
227         (Inspector::JSJavaScriptCallFrame::caller const):
228         (Inspector::JSJavaScriptCallFrame::scopeChain const):
229         * interpreter/CallFrame.cpp:
230         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
231         * interpreter/Interpreter.cpp:
232         (JSC::Interpreter::executeProgram):
233         (JSC::Interpreter::executeCall):
234         (JSC::Interpreter::executeConstruct):
235         (JSC::Interpreter::execute):
236         (JSC::Interpreter::executeModuleProgram):
237         * jit/JITOperations.cpp:
238         (JSC::getByVal):
239         * jit/Repatch.cpp:
240         (JSC::tryCacheInByID):
241         * jsc.cpp:
242         (functionDollarAgentReceiveBroadcast):
243         (functionHasCustomProperties):
244         * llint/LLIntSlowPaths.cpp:
245         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
246         (JSC::LLInt::setupGetByIdPrototypeCache):
247         (JSC::LLInt::getByVal):
248         (JSC::LLInt::handleHostCall):
249         (JSC::LLInt::llint_throw_stack_overflow_error):
250         * runtime/AbstractModuleRecord.cpp:
251         (JSC::AbstractModuleRecord::finishCreation):
252         * runtime/ArrayConstructor.cpp:
253         (JSC::constructArrayWithSizeQuirk):
254         * runtime/ArrayPrototype.cpp:
255         (JSC::speciesWatchpointIsValid):
256         (JSC::arrayProtoFuncToString):
257         (JSC::arrayProtoFuncToLocaleString):
258         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
259         * runtime/AsyncFunctionConstructor.cpp:
260         (JSC::callAsyncFunctionConstructor):
261         (JSC::constructAsyncFunctionConstructor):
262         * runtime/AsyncGeneratorFunctionConstructor.cpp:
263         (JSC::callAsyncGeneratorFunctionConstructor):
264         (JSC::constructAsyncGeneratorFunctionConstructor):
265         * runtime/BooleanConstructor.cpp:
266         (JSC::constructWithBooleanConstructor):
267         * runtime/ClonedArguments.cpp:
268         (JSC::ClonedArguments::createEmpty):
269         (JSC::ClonedArguments::createWithInlineFrame):
270         (JSC::ClonedArguments::createWithMachineFrame):
271         (JSC::ClonedArguments::createByCopyingFrom):
272         (JSC::ClonedArguments::getOwnPropertySlot):
273         (JSC::ClonedArguments::materializeSpecials):
274         * runtime/CommonSlowPaths.cpp:
275         (JSC::SLOW_PATH_DECL):
276         * runtime/CommonSlowPaths.h:
277         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
278         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
279         (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
280         * runtime/ConstructData.cpp:
281         (JSC::construct):
282         * runtime/DateConstructor.cpp:
283         (JSC::constructWithDateConstructor):
284         * runtime/DatePrototype.cpp:
285         (JSC::dateProtoFuncToJSON):
286         * runtime/DirectArguments.cpp:
287         (JSC::DirectArguments::overrideThings):
288         * runtime/Error.cpp:
289         (JSC::getStackTrace):
290         * runtime/ErrorConstructor.cpp:
291         (JSC::Interpreter::constructWithErrorConstructor):
292         (JSC::Interpreter::callErrorConstructor):
293         * runtime/FunctionConstructor.cpp:
294         (JSC::constructWithFunctionConstructor):
295         (JSC::callFunctionConstructor):
296         * runtime/GeneratorFunctionConstructor.cpp:
297         (JSC::callGeneratorFunctionConstructor):
298         (JSC::constructGeneratorFunctionConstructor):
299         * runtime/GenericArgumentsInlines.h:
300         (JSC::GenericArguments<Type>::getOwnPropertySlot):
301         * runtime/InferredStructureWatchpoint.cpp:
302         (JSC::InferredStructureWatchpoint::fireInternal):
303         * runtime/InferredType.cpp:
304         (JSC::InferredType::removeStructure):
305         * runtime/InferredType.h:
306         * runtime/InferredTypeInlines.h:
307         (JSC::InferredType::finalizeUnconditionally):
308         * runtime/IntlCollator.cpp:
309         (JSC::IntlCollator::initializeCollator):
310         * runtime/IntlCollatorConstructor.cpp:
311         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
312         * runtime/IntlCollatorPrototype.cpp:
313         (JSC::IntlCollatorPrototypeGetterCompare):
314         * runtime/IntlDateTimeFormat.cpp:
315         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
316         (JSC::IntlDateTimeFormat::formatToParts):
317         * runtime/IntlDateTimeFormatConstructor.cpp:
318         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
319         * runtime/IntlDateTimeFormatPrototype.cpp:
320         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
321         * runtime/IntlNumberFormat.cpp:
322         (JSC::IntlNumberFormat::initializeNumberFormat):
323         (JSC::IntlNumberFormat::formatToParts):
324         * runtime/IntlNumberFormatConstructor.cpp:
325         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
326         * runtime/IntlNumberFormatPrototype.cpp:
327         (JSC::IntlNumberFormatPrototypeGetterFormat):
328         * runtime/IntlObject.cpp:
329         (JSC::canonicalizeLocaleList):
330         (JSC::defaultLocale):
331         (JSC::lookupSupportedLocales):
332         (JSC::intlObjectFuncGetCanonicalLocales):
333         * runtime/IntlPluralRules.cpp:
334         (JSC::IntlPluralRules::initializePluralRules):
335         (JSC::IntlPluralRules::resolvedOptions):
336         * runtime/IntlPluralRulesConstructor.cpp:
337         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
338         * runtime/IteratorOperations.cpp:
339         (JSC::iteratorNext):
340         (JSC::iteratorClose):
341         (JSC::iteratorForIterable):
342         * runtime/JSArray.cpp:
343         (JSC::JSArray::shiftCountWithArrayStorage):
344         (JSC::JSArray::unshiftCountWithArrayStorage):
345         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
346         * runtime/JSArrayBufferConstructor.cpp:
347         (JSC::JSArrayBufferConstructor::finishCreation):
348         (JSC::constructArrayBuffer):
349         * runtime/JSArrayBufferPrototype.cpp:
350         (JSC::arrayBufferProtoFuncSlice):
351         * runtime/JSArrayBufferView.cpp:
352         (JSC::JSArrayBufferView::unsharedJSBuffer):
353         (JSC::JSArrayBufferView::possiblySharedJSBuffer):
354         * runtime/JSAsyncFunction.cpp:
355         (JSC::JSAsyncFunction::createImpl):
356         (JSC::JSAsyncFunction::create):
357         (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
358         * runtime/JSAsyncGeneratorFunction.cpp:
359         (JSC::JSAsyncGeneratorFunction::createImpl):
360         (JSC::JSAsyncGeneratorFunction::create):
361         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
362         * runtime/JSBoundFunction.cpp:
363         (JSC::boundThisNoArgsFunctionCall):
364         (JSC::boundFunctionCall):
365         (JSC::boundThisNoArgsFunctionConstruct):
366         (JSC::boundFunctionConstruct):
367         (JSC::getBoundFunctionStructure):
368         (JSC::JSBoundFunction::create):
369         (JSC::JSBoundFunction::boundArgsCopy):
370         * runtime/JSCJSValue.cpp:
371         (JSC::JSValue::putToPrimitive):
372         * runtime/JSCellInlines.h:
373         (JSC::JSCell::setStructure):
374         (JSC::JSCell::methodTable const):
375         (JSC::JSCell::toBoolean const):
376         * runtime/JSFunction.h:
377         (JSC::JSFunction::createImpl):
378         * runtime/JSGeneratorFunction.cpp:
379         (JSC::JSGeneratorFunction::createImpl):
380         (JSC::JSGeneratorFunction::create):
381         (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
382         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
383         (JSC::constructGenericTypedArrayViewWithArguments):
384         (JSC::constructGenericTypedArrayView):
385         * runtime/JSGenericTypedArrayViewInlines.h:
386         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
387         (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
388         (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
389         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
390         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
391         (JSC::genericTypedArrayViewProtoFuncSlice):
392         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
393         * runtime/JSGlobalObject.cpp:
394         (JSC::JSGlobalObject::init):
395         (JSC::JSGlobalObject::exposeDollarVM):
396         (JSC::JSGlobalObject::finishCreation):
397         * runtime/JSGlobalObject.h:
398         * runtime/JSGlobalObjectFunctions.cpp:
399         (JSC::globalFuncEval):
400         * runtime/JSInternalPromise.cpp:
401         (JSC::JSInternalPromise::then):
402         * runtime/JSInternalPromiseConstructor.cpp:
403         (JSC::constructPromise):
404         * runtime/JSJob.cpp:
405         (JSC::JSJobMicrotask::run):
406         * runtime/JSLexicalEnvironment.cpp:
407         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
408         (JSC::JSLexicalEnvironment::put):
409         * runtime/JSMap.cpp:
410         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
411         * runtime/JSMapIterator.cpp:
412         (JSC::JSMapIterator::createPair):
413         * runtime/JSModuleLoader.cpp:
414         (JSC::JSModuleLoader::provideFetch):
415         (JSC::JSModuleLoader::loadAndEvaluateModule):
416         (JSC::JSModuleLoader::loadModule):
417         (JSC::JSModuleLoader::linkAndEvaluateModule):
418         (JSC::JSModuleLoader::requestImportModule):
419         * runtime/JSONObject.cpp:
420         (JSC::JSONProtoFuncParse):
421         * runtime/JSObject.cpp:
422         (JSC::JSObject::putInlineSlow):
423         (JSC::JSObject::putByIndex):
424         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
425         (JSC::JSObject::createInitialIndexedStorage):
426         (JSC::JSObject::createArrayStorage):
427         (JSC::JSObject::convertUndecidedToArrayStorage):
428         (JSC::JSObject::convertInt32ToArrayStorage):
429         (JSC::JSObject::convertDoubleToArrayStorage):
430         (JSC::JSObject::convertContiguousToArrayStorage):
431         (JSC::JSObject::convertFromCopyOnWrite):
432         (JSC::JSObject::ensureWritableInt32Slow):
433         (JSC::JSObject::ensureWritableDoubleSlow):
434         (JSC::JSObject::ensureWritableContiguousSlow):
435         (JSC::JSObject::ensureArrayStorageSlow):
436         (JSC::JSObject::setPrototypeDirect):
437         (JSC::JSObject::deleteProperty):
438         (JSC::callToPrimitiveFunction):
439         (JSC::JSObject::hasInstance):
440         (JSC::JSObject::getOwnNonIndexPropertyNames):
441         (JSC::JSObject::preventExtensions):
442         (JSC::JSObject::isExtensible):
443         (JSC::JSObject::reifyAllStaticProperties):
444         (JSC::JSObject::fillGetterPropertySlot):
445         (JSC::JSObject::defineOwnIndexedProperty):
446         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
447         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
448         (JSC::JSObject::putByIndexBeyondVectorLength):
449         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
450         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
451         (JSC::JSObject::getNewVectorLength):
452         (JSC::JSObject::increaseVectorLength):
453         (JSC::JSObject::reallocateAndShrinkButterfly):
454         (JSC::JSObject::shiftButterflyAfterFlattening):
455         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
456         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
457         (JSC::JSObject::needsSlowPutIndexing const):
458         (JSC::JSObject::suggestedArrayStorageTransition const):
459         * runtime/JSObject.h:
460         (JSC::JSObject::mayInterceptIndexedAccesses):
461         (JSC::JSObject::hasIndexingHeader const):
462         (JSC::JSObject::hasCustomProperties):
463         (JSC::JSObject::hasGetterSetterProperties):
464         (JSC::JSObject::hasCustomGetterSetterProperties):
465         (JSC::JSObject::isExtensibleImpl):
466         (JSC::JSObject::isStructureExtensible):
467         (JSC::JSObject::indexingShouldBeSparse):
468         (JSC::JSObject::staticPropertiesReified):
469         (JSC::JSObject::globalObject const):
470         (JSC::JSObject::finishCreation):
471         (JSC::JSNonFinalObject::finishCreation):
472         (JSC::getCallData):
473         (JSC::getConstructData):
474         (JSC::JSObject::getOwnNonIndexPropertySlot):
475         (JSC::JSObject::putOwnDataProperty):
476         (JSC::JSObject::putOwnDataPropertyMayBeIndex):
477         (JSC::JSObject::butterflyPreCapacity):
478         (JSC::JSObject::butterflyTotalSize):
479         * runtime/JSObjectInlines.h:
480         (JSC::JSObject::putDirectInternal):
481         * runtime/JSPromise.cpp:
482         (JSC::JSPromise::initialize):
483         (JSC::JSPromise::resolve):
484         * runtime/JSPromiseConstructor.cpp:
485         (JSC::constructPromise):
486         * runtime/JSPromiseDeferred.cpp:
487         (JSC::newPromiseCapability):
488         (JSC::callFunction):
489         * runtime/JSScope.cpp:
490         (JSC::abstractAccess):
491         * runtime/JSScope.h:
492         (JSC::JSScope::globalObject): Deleted.
493         Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
494
495         * runtime/JSSet.cpp:
496         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
497         * runtime/JSSetIterator.cpp:
498         (JSC::JSSetIterator::createPair):
499         * runtime/JSStringIterator.cpp:
500         (JSC::JSStringIterator::clone):
501         * runtime/Lookup.cpp:
502         (JSC::reifyStaticAccessor):
503         (JSC::setUpStaticFunctionSlot):
504         * runtime/Lookup.h:
505         (JSC::getStaticPropertySlotFromTable):
506         (JSC::replaceStaticPropertySlot):
507         (JSC::reifyStaticProperty):
508         * runtime/MapConstructor.cpp:
509         (JSC::constructMap):
510         * runtime/NumberConstructor.cpp:
511         (JSC::NumberConstructor::finishCreation):
512         * runtime/ObjectConstructor.cpp:
513         (JSC::constructObject):
514         (JSC::objectConstructorAssign):
515         (JSC::toPropertyDescriptor):
516         * runtime/ObjectPrototype.cpp:
517         (JSC::objectProtoFuncDefineGetter):
518         (JSC::objectProtoFuncDefineSetter):
519         (JSC::objectProtoFuncToLocaleString):
520         * runtime/Operations.cpp:
521         (JSC::jsIsFunctionType): Deleted.
522         Replace it with JSValue::isFunction(VM&).
523
524         * runtime/Operations.h:
525         * runtime/ProgramExecutable.cpp:
526         (JSC::ProgramExecutable::initializeGlobalProperties):
527         * runtime/RegExpConstructor.cpp:
528         (JSC::constructWithRegExpConstructor):
529         (JSC::callRegExpConstructor):
530         * runtime/SamplingProfiler.cpp:
531         (JSC::SamplingProfiler::processUnverifiedStackTraces):
532         (JSC::SamplingProfiler::StackFrame::nameFromCallee):
533         * runtime/ScopedArguments.cpp:
534         (JSC::ScopedArguments::overrideThings):
535         * runtime/ScriptExecutable.cpp:
536         (JSC::ScriptExecutable::newCodeBlockFor):
537         (JSC::ScriptExecutable::prepareForExecutionImpl):
538         * runtime/SetConstructor.cpp:
539         (JSC::constructSet):
540         * runtime/SparseArrayValueMap.cpp:
541         (JSC::SparseArrayValueMap::putEntry):
542         (JSC::SparseArrayValueMap::putDirect):
543         * runtime/StringConstructor.cpp:
544         (JSC::constructWithStringConstructor):
545         * runtime/StringPrototype.cpp:
546         (JSC::replaceUsingRegExpSearch):
547         (JSC::replaceUsingStringSearch):
548         (JSC::stringProtoFuncIterator):
549         * runtime/Structure.cpp:
550         (JSC::Structure::materializePropertyTable):
551         (JSC::Structure::willStoreValueSlow):
552         * runtime/StructureCache.cpp:
553         (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
554         * runtime/StructureInlines.h:
555         (JSC::Structure::get):
556         * runtime/WeakMapConstructor.cpp:
557         (JSC::constructWeakMap):
558         * runtime/WeakSetConstructor.cpp:
559         (JSC::constructWeakSet):
560         * tools/HeapVerifier.cpp:
561         (JSC::HeapVerifier::reportCell):
562         * tools/JSDollarVM.cpp:
563         (JSC::functionGlobalObjectForObject):
564         (JSC::JSDollarVM::finishCreation):
565         * wasm/js/JSWebAssemblyInstance.cpp:
566         (JSC::JSWebAssemblyInstance::finalizeCreation):
567         * wasm/js/WasmToJS.cpp:
568         (JSC::Wasm::handleBadI64Use):
569         (JSC::Wasm::wasmToJSException):
570         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
571         (JSC::constructJSWebAssemblyCompileError):
572         (JSC::callJSWebAssemblyCompileError):
573         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
574         (JSC::constructJSWebAssemblyLinkError):
575         (JSC::callJSWebAssemblyLinkError):
576         * wasm/js/WebAssemblyModuleRecord.cpp:
577         (JSC::WebAssemblyModuleRecord::evaluate):
578         * wasm/js/WebAssemblyPrototype.cpp:
579         (JSC::instantiate):
580         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
581         (JSC::constructJSWebAssemblyRuntimeError):
582         (JSC::callJSWebAssemblyRuntimeError):
583         * wasm/js/WebAssemblyToJSCallee.cpp:
584         (JSC::WebAssemblyToJSCallee::create):
585
586 2018-05-30  Saam Barati  <sbarati@apple.com>
587
588         DFG combined liveness needs to say that the machine CodeBlock's arguments are live
589         https://bugs.webkit.org/show_bug.cgi?id=186121
590         <rdar://problem/39377796>
591
592         Reviewed by Keith Miller.
593
594         DFG's combined liveness was reporting that the machine CodeBlock's |this|
595         argument was dead at certain points in the program. However, a CodeBlock's
596         arguments are considered live for the entire function. This fixes a bug
597         where object allocation sinking phase skipped materializing an allocation
598         because it thought that the argument it was associated with, |this|, was dead.
599
600         * dfg/DFGCombinedLiveness.cpp:
601         (JSC::DFG::liveNodesAtHead):
602
603 2018-05-30  Daniel Bates  <dabates@apple.com>
604
605         Web Inspector: Annotate Same-Site cookies
606         https://bugs.webkit.org/show_bug.cgi?id=184897
607         <rdar://problem/35178209>
608
609         Reviewed by Brian Burg.
610
611         Update protocol to include cookie Same-Site policy.
612
613         * inspector/protocol/Page.json:
614
615 2018-05-29  Keith Miller  <keith_miller@apple.com>
616
617         Error instances should not strongly hold onto StackFrames
618         https://bugs.webkit.org/show_bug.cgi?id=185996
619
620         Reviewed by Mark Lam.
621
622         Previously, we would hold onto all the StackFrames until the the user
623         looked at one of the properties on the Error object. This patch makes us
624         only weakly retain the StackFrames and collect all the information
625         if we are about to collect any frame.
626
627         This patch also adds a method to $vm that returns the heaps count
628         of live global objects.
629
630         * heap/Heap.cpp:
631         (JSC::Heap::finalizeUnconditionalFinalizers):
632         * interpreter/Interpreter.cpp:
633         (JSC::Interpreter::stackTraceAsString):
634         * interpreter/Interpreter.h:
635         * runtime/Error.cpp:
636         (JSC::addErrorInfo):
637         * runtime/ErrorInstance.cpp:
638         (JSC::ErrorInstance::finalizeUnconditionally):
639         (JSC::ErrorInstance::computeErrorInfo):
640         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
641         (JSC::ErrorInstance::visitChildren): Deleted.
642         * runtime/ErrorInstance.h:
643         (JSC::ErrorInstance::subspaceFor):
644         * runtime/JSFunction.cpp:
645         (JSC::getCalculatedDisplayName):
646         * runtime/StackFrame.h:
647         (JSC::StackFrame::isMarked const):
648         * runtime/VM.cpp:
649         (JSC::VM::VM):
650         * runtime/VM.h:
651         * tools/JSDollarVM.cpp:
652         (JSC::functionGlobalObjectCount):
653         (JSC::JSDollarVM::finishCreation):
654
655 2018-05-30  Keith Miller  <keith_miller@apple.com>
656
657         LLInt get_by_id prototype caching doesn't properly handle changes
658         https://bugs.webkit.org/show_bug.cgi?id=186112
659
660         Reviewed by Filip Pizlo.
661
662         The caching would sometimes fail to track that a prototype had changed
663         and wouldn't update its set of watchpoints.
664
665         * bytecode/CodeBlock.cpp:
666         (JSC::CodeBlock::finalizeLLIntInlineCaches):
667         * bytecode/CodeBlock.h:
668         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
669         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
670         * bytecode/ObjectPropertyConditionSet.h:
671         (JSC::ObjectPropertyConditionSet::size const):
672         * bytecode/Watchpoint.h:
673         (JSC::Watchpoint::Watchpoint): Deleted.
674         * llint/LLIntSlowPaths.cpp:
675         (JSC::LLInt::setupGetByIdPrototypeCache):
676
677 2018-05-30  Caio Lima  <ticaiolima@gmail.com>
678
679         [ESNext][BigInt] Implement support for "%" operation
680         https://bugs.webkit.org/show_bug.cgi?id=184327
681
682         Reviewed by Yusuke Suzuki.
683
684         We are introducing the support of BigInt into remainder (a.k.a mod)
685         operation.
686
687         * runtime/CommonSlowPaths.cpp:
688         (JSC::SLOW_PATH_DECL):
689         * runtime/JSBigInt.cpp:
690         (JSC::JSBigInt::remainder):
691         (JSC::JSBigInt::rightTrim):
692         * runtime/JSBigInt.h:
693
694 2018-05-30  Saam Barati  <sbarati@apple.com>
695
696         AI for Atomics.load() is too conservative in always clobbering world
697         https://bugs.webkit.org/show_bug.cgi?id=185738
698         <rdar://problem/40342214>
699
700         Reviewed by Yusuke Suzuki.
701
702         It fails the assertion that Fil added for catching disagreements between
703         AI and clobberize. This patch fixes that. You'd run into this if you
704         manually enabled SAB in a build and ran any SAB tests.
705
706         * dfg/DFGAbstractInterpreterInlines.h:
707         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
708
709 2018-05-30  Michael Saboff  <msaboff@apple.com>
710
711         REGRESSION(r232212): Broke Win32 Builds
712         https://bugs.webkit.org/show_bug.cgi?id=186061
713
714         Reviewed by Yusuke Suzuki.
715
716         Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
717         instead of LowLevelInterpreterWin.asm.
718
719         * CMakeLists.txt:
720
721 2018-05-30  Dominik Infuehr  <dinfuehr@igalia.com>
722
723         [MIPS] Fix build on MIPS32r1
724         https://bugs.webkit.org/show_bug.cgi?id=185944
725
726         Reviewed by Yusuke Suzuki.
727
728         Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
729         on MIPS32r1.
730
731         * offlineasm/mips.rb:
732
733 2018-05-29  Saam Barati  <sbarati@apple.com>
734
735         Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
736         https://bugs.webkit.org/show_bug.cgi?id=186064
737
738         Reviewed by Mark Lam.
739
740         shrinkFootprint was implemented as:
741         ```
742         sanitizeStackForVM(this);
743         deleteAllCode(DeleteAllCodeIfNotCollecting);
744         heap.collectNow(Synchronousness::Sync);
745         WTF::releaseFastMallocFreeMemory();
746         ```
747         
748         However, for correctness reasons, deleteAllCode is implemented to do
749         work when the VM is idle: no JS is running on the stack. This means
750         that if shrinkFootprint is called when JS is running on the stack, it
751         ends up freeing less memory than it could have if it waited to run until
752         the VM goes idle.
753         
754         This patch makes it so we wait until idle before doing work. I'm seeing a
755         10% footprint progression when testing this against a client of the JSC SPI.
756         
757         Because this is a semantic change in how the SPI works, this patch
758         adds new SPI named shrinkFootprintWhenIdle. The plan is to move
759         all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
760         Once that happens, we will delete shrinkFootprint. Until then,
761         we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
762
763         * API/JSVirtualMachine.mm:
764         (-[JSVirtualMachine shrinkFootprint]):
765         (-[JSVirtualMachine shrinkFootprintWhenIdle]):
766         * API/JSVirtualMachinePrivate.h:
767         * runtime/VM.cpp:
768         (JSC::VM::shrinkFootprintWhenIdle):
769         (JSC::VM::shrinkFootprint): Deleted.
770         * runtime/VM.h:
771
772 2018-05-29  Saam Barati  <sbarati@apple.com>
773
774         shrinkFootprint needs to request a full collection
775         https://bugs.webkit.org/show_bug.cgi?id=186069
776
777         Reviewed by Mark Lam.
778
779         * runtime/VM.cpp:
780         (JSC::VM::shrinkFootprint):
781
782 2018-05-29  Caio Lima  <ticaiolima@gmail.com>
783
784         [ESNext][BigInt] Implement support for "<" and ">" relational operation
785         https://bugs.webkit.org/show_bug.cgi?id=185379
786
787         Reviewed by Yusuke Suzuki.
788
789         This patch is changing the ``jsLess``` operation to follow the
790         semantics of Abstract Relational Comparison[1] that supports BigInt.
791         For that, we create 2 new helper functions ```bigIntCompareLess``` and
792         ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
793         compared.
794
795         [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
796
797         * runtime/JSBigInt.cpp:
798         (JSC::JSBigInt::unequalSign):
799         (JSC::JSBigInt::absoluteGreater):
800         (JSC::JSBigInt::absoluteLess):
801         (JSC::JSBigInt::compare):
802         (JSC::JSBigInt::absoluteCompare):
803         * runtime/JSBigInt.h:
804         * runtime/JSCJSValueInlines.h:
805         (JSC::JSValue::isPrimitive const):
806         * runtime/Operations.h:
807         (JSC::bigIntCompareLess):
808         (JSC::toPrimitiveNumeric):
809         (JSC::jsLess):
810
811 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
812
813         [Baseline] Merge loading functionalities
814         https://bugs.webkit.org/show_bug.cgi?id=185907
815
816         Reviewed by Saam Barati.
817
818         This patch unifies emitXXXLoad functions in 32bit and 64bit.
819
820         * jit/JITInlines.h:
821         (JSC::JIT::emitDoubleGetByVal):
822         * jit/JITPropertyAccess.cpp:
823         (JSC::JIT::emitDoubleLoad):
824         (JSC::JIT::emitContiguousLoad):
825         (JSC::JIT::emitArrayStorageLoad):
826         (JSC::JIT::emitIntTypedArrayGetByVal):
827         (JSC::JIT::emitFloatTypedArrayGetByVal):
828         Define register usage first, and share the same code in 32bit and 64bit.
829
830         * jit/JITPropertyAccess32_64.cpp:
831         (JSC::JIT::emitSlow_op_put_by_val):
832         Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
833         We can remove this special handling.
834
835         (JSC::JIT::emitContiguousLoad): Deleted.
836         (JSC::JIT::emitDoubleLoad): Deleted.
837         (JSC::JIT::emitArrayStorageLoad): Deleted.
838
839 2018-05-29  Saam Barati  <sbarati@apple.com>
840
841         JSC should put bmalloc's scavenger into mini mode
842         https://bugs.webkit.org/show_bug.cgi?id=185988
843
844         Reviewed by Michael Saboff.
845
846         When we InitializeThreading, we'll now enable bmalloc's mini mode
847         if the VM is in mini mode. This is an 8-10% progression on the footprint
848         at end score in run-testmem, making it a 4-5% memory score progression.
849         It's between a 0-1% regression in its time score.
850
851         * runtime/InitializeThreading.cpp:
852         (JSC::initializeThreading):
853
854 2018-05-29  Caitlin Potter  <caitp@igalia.com>
855
856         [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
857         https://bugs.webkit.org/show_bug.cgi?id=184267
858
859         Reviewed by Saam Barati.
860
861         Before this patch, the fast case for Array.prototype.concat was taken if
862         there was a single argument passed to the function, which is either a
863         non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
864         This incorrectly prevented Proxy objects from being spread when
865         they were the only argument passed to A.prototype.concat(), violating ECMA-262.
866
867         * builtins/ArrayPrototype.js:
868         (concat):
869
870 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
871
872         [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
873         https://bugs.webkit.org/show_bug.cgi?id=186022
874
875         Reviewed by Darin Adler.
876
877         digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
878         creation has an issue (`s` should be casted to signed one before negating). They cause test failures
879         in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
880         in asm.
881
882         This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
883         rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
884         This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
885         in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
886         if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
887         is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
888
889         This patch also fixes naming convention for constant values.
890
891         * runtime/JSBigInt.cpp:
892         (JSC::JSBigInt::digitMul):
893         (JSC::JSBigInt::digitDiv):
894         * runtime/JSBigInt.h:
895
896 2018-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
897
898         [WTF] Add clz32 / clz64 for MSVC
899         https://bugs.webkit.org/show_bug.cgi?id=186023
900
901         Reviewed by Daniel Bates.
902
903         Move clz32 and clz64 to WTF.
904
905         * runtime/MathCommon.h:
906         (JSC::clz32): Deleted.
907         (JSC::clz64): Deleted.
908
909 2018-05-27  Caio Lima  <ticaiolima@gmail.com>
910
911         [ESNext][BigInt] Implement "+" and "-" unary operation
912         https://bugs.webkit.org/show_bug.cgi?id=182214
913
914         Reviewed by Yusuke Suzuki.
915
916         This Patch is implementing support to "-" unary operation on BigInt.
917         It is also changing the logic of ASTBuilder::makeNegateNode to
918         calculate BigInt literals with properly sign, avoiding
919         unecessary operation. It required a refactoring into
920         JSBigInt::parseInt to consider the sign as parameter.
921
922         We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
923         operations. With the introduction of BigInt, it is not true
924         that every negate operation returns a Number. As ArithNegate is a
925         node that considers its result is always a Number, like all other
926         Arith<Operation>, we decided to keep this consistency and use ValueNegate when
927         speculation indicates that the operand is a BigInt.
928         This design is following the same distinction between ArithAdd and
929         ValueAdd. Also, this new node will make simpler the introduction of
930         optimizations when we create speculation paths for BigInt in future
931         patches.
932
933         In the case of "+" unary operation on BigInt, the current semantic we already have
934         is correctly, since it needs to throw TypeError because of ToNumber call[1].
935         In such case, we are adding tests to verify other edge cases.
936
937         [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
938
939         * bytecompiler/BytecodeGenerator.cpp:
940         (JSC::BytecodeGenerator::addBigIntConstant):
941         * bytecompiler/BytecodeGenerator.h:
942         * bytecompiler/NodesCodegen.cpp:
943         (JSC::BigIntNode::jsValue const):
944         * dfg/DFGAbstractInterpreterInlines.h:
945         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
946         * dfg/DFGByteCodeParser.cpp:
947         (JSC::DFG::ByteCodeParser::makeSafe):
948         (JSC::DFG::ByteCodeParser::parseBlock):
949         * dfg/DFGClobberize.h:
950         (JSC::DFG::clobberize):
951         * dfg/DFGDoesGC.cpp:
952         (JSC::DFG::doesGC):
953         * dfg/DFGFixupPhase.cpp:
954         (JSC::DFG::FixupPhase::fixupNode):
955         * dfg/DFGNode.h:
956         (JSC::DFG::Node::arithNodeFlags):
957         * dfg/DFGNodeType.h:
958         * dfg/DFGPredictionPropagationPhase.cpp:
959         * dfg/DFGSafeToExecute.h:
960         (JSC::DFG::safeToExecute):
961         * dfg/DFGSpeculativeJIT.cpp:
962         (JSC::DFG::SpeculativeJIT::compileValueNegate):
963         (JSC::DFG::SpeculativeJIT::compileArithNegate):
964         * dfg/DFGSpeculativeJIT.h:
965         * dfg/DFGSpeculativeJIT32_64.cpp:
966         (JSC::DFG::SpeculativeJIT::compile):
967         * dfg/DFGSpeculativeJIT64.cpp:
968         (JSC::DFG::SpeculativeJIT::compile):
969         * ftl/FTLCapabilities.cpp:
970         (JSC::FTL::canCompile):
971         * ftl/FTLLowerDFGToB3.cpp:
972         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
973         (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
974         (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
975         * jit/JITOperations.cpp:
976         * parser/ASTBuilder.h:
977         (JSC::ASTBuilder::createBigIntWithSign):
978         (JSC::ASTBuilder::createBigIntFromUnaryOperation):
979         (JSC::ASTBuilder::makeNegateNode):
980         * parser/NodeConstructors.h:
981         (JSC::BigIntNode::BigIntNode):
982         * parser/Nodes.h:
983         * runtime/CommonSlowPaths.cpp:
984         (JSC::updateArithProfileForUnaryArithOp):
985         (JSC::SLOW_PATH_DECL):
986         * runtime/JSBigInt.cpp:
987         (JSC::JSBigInt::parseInt):
988         * runtime/JSBigInt.h:
989         * runtime/JSCJSValueInlines.h:
990         (JSC::JSValue::strictEqualSlowCaseInline):
991
992 2018-05-27  Dan Bernstein  <mitz@apple.com>
993
994         Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
995
996         * jit/JITOperations.cpp:
997
998 2018-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
999
1000         [JSC] Rename Array#flatten to flat
1001         https://bugs.webkit.org/show_bug.cgi?id=186012
1002
1003         Reviewed by Saam Barati.
1004
1005         Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
1006         conflicts with the mootools' function name.
1007
1008         * builtins/ArrayPrototype.js:
1009         (globalPrivate.flatIntoArray):
1010         (flat):
1011         (globalPrivate.flatIntoArrayWithCallback):
1012         (flatMap):
1013         (globalPrivate.flattenIntoArray): Deleted.
1014         (flatten): Deleted.
1015         (globalPrivate.flattenIntoArrayWithCallback): Deleted.
1016         * runtime/ArrayPrototype.cpp:
1017         (JSC::ArrayPrototype::finishCreation):
1018
1019 2018-05-25  Mark Lam  <mark.lam@apple.com>
1020
1021         for-in loops should preserve and restore the TDZ stack for each of its internal loops.
1022         https://bugs.webkit.org/show_bug.cgi?id=185995
1023         <rdar://problem/40173142>
1024
1025         Reviewed by Saam Barati.
1026
1027         This is because there's no guarantee that any of the loop bodies will be
1028         executed.  Hence, there's no guarantee that the TDZ variables will have been
1029         initialized after each loop body.
1030
1031         * bytecompiler/BytecodeGenerator.cpp:
1032         (JSC::BytecodeGenerator::preserveTDZStack):
1033         (JSC::BytecodeGenerator::restoreTDZStack):
1034         * bytecompiler/BytecodeGenerator.h:
1035         * bytecompiler/NodesCodegen.cpp:
1036         (JSC::ForInNode::emitBytecode):
1037
1038 2018-05-25  Mark Lam  <mark.lam@apple.com>
1039
1040         MachineContext's instructionPointer() should handle null PCs correctly.
1041         https://bugs.webkit.org/show_bug.cgi?id=186004
1042         <rdar://problem/40570067>
1043
1044         Reviewed by Saam Barati.
1045
1046         instructionPointer() returns a MacroAssemblerCodePtr<CFunctionPtrTag>.  However,
1047         MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
1048         assert accordingly with a debug ASSERT.  This is inconsequential for release
1049         builds, but to avoid this assertion failure, we should check for a null PC and
1050         return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr) instead (which uses the
1051         MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
1052
1053         Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
1054         for null pointers, but I rather not do that yet.  In general,
1055         MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
1056         leave it that way for now.
1057
1058         Note: this assertion failure only manifests when we have signal traps enabled,
1059         and encounter a null pointer deref.
1060
1061         * runtime/MachineContext.h:
1062         (JSC::MachineContext::instructionPointer):
1063
1064 2018-05-25  Mark Lam  <mark.lam@apple.com>
1065
1066         Enforce invariant that GetterSetter objects are invariant.
1067         https://bugs.webkit.org/show_bug.cgi?id=185968
1068         <rdar://problem/40541416>
1069
1070         Reviewed by Saam Barati.
1071
1072         The code already assumes the invariant that GetterSetter objects are immutable.
1073         For example, the use of @tryGetById in builtins expect this invariant to be true.
1074         The existing code mostly enforces this except for one case: JSObject's
1075         validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
1076         object.
1077
1078         This patch enforces this invariant by removing the setGetter and setSetter methods
1079         of GetterSetter, and requiring the getter/setter callback functions to be
1080         specified at construction time.
1081
1082         * jit/JITOperations.cpp:
1083         * llint/LLIntSlowPaths.cpp:
1084         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1085         * runtime/GetterSetter.cpp:
1086         (JSC::GetterSetter::withGetter): Deleted.
1087         (JSC::GetterSetter::withSetter): Deleted.
1088         * runtime/GetterSetter.h:
1089         * runtime/JSGlobalObject.cpp:
1090         (JSC::JSGlobalObject::init):
1091         * runtime/JSObject.cpp:
1092         (JSC::JSObject::putIndexedDescriptor):
1093         (JSC::JSObject::putDirectNativeIntrinsicGetter):
1094         (JSC::putDescriptor):
1095         (JSC::validateAndApplyPropertyDescriptor):
1096         * runtime/JSTypedArrayViewPrototype.cpp:
1097         (JSC::JSTypedArrayViewPrototype::finishCreation):
1098         * runtime/Lookup.cpp:
1099         (JSC::reifyStaticAccessor):
1100         * runtime/PropertyDescriptor.cpp:
1101         (JSC::PropertyDescriptor::slowGetterSetter):
1102
1103 2018-05-25  Saam Barati  <sbarati@apple.com>
1104
1105         Make JSC have a mini mode that kicks in when the JIT is disabled
1106         https://bugs.webkit.org/show_bug.cgi?id=185931
1107
1108         Reviewed by Mark Lam.
1109
1110         This patch makes JSC have a mini VM mode. This currently only kicks in
1111         when the process can't JIT. Mini VM now means a few things:
1112         - We always use a 1.27x heap growth factor. This number was the best tradeoff
1113           between memory use progression and time regression in run-testmem. We may
1114           want to tune this more in the future as we make other mini VM changes.
1115         - We always sweep synchronously.
1116         - We disable generational GC.
1117         
1118         I'm going to continue to extend what mini VM mode means in future changes.
1119         
1120         This patch is a 50% memory progression and an ~8-9% time regression
1121         on run-testmem when running in mini VM mode with the JIT disabled.
1122
1123         * heap/Heap.cpp:
1124         (JSC::Heap::collectNow):
1125         (JSC::Heap::finalize):
1126         (JSC::Heap::useGenerationalGC):
1127         (JSC::Heap::shouldSweepSynchronously):
1128         (JSC::Heap::shouldDoFullCollection):
1129         * heap/Heap.h:
1130         * runtime/Options.h:
1131         * runtime/VM.cpp:
1132         (JSC::VM::isInMiniMode):
1133         * runtime/VM.h:
1134
1135 2018-05-25  Saam Barati  <sbarati@apple.com>
1136
1137         Have a memory test where we can validate JSCs mini memory mode
1138         https://bugs.webkit.org/show_bug.cgi?id=185932
1139
1140         Reviewed by Mark Lam.
1141
1142         This patch adds the testmem CLI. It takes as input a file to run
1143         and the number of iterations to run it (by default it runs it
1144         20 times). Each iteration runs in a new JSContext. Each JSContext
1145         belongs to a VM that is created once. When finished, the CLI dumps
1146         out the peak memory usage of the process, the memory usage at the end
1147         of running all the iterations of the process, and the total time it
1148         took to run all the iterations.
1149
1150         * JavaScriptCore.xcodeproj/project.pbxproj:
1151         * testmem: Added.
1152         * testmem/testmem.mm: Added.
1153         (description):
1154         (Footprint::now):
1155         (main):
1156
1157 2018-05-25  David Kilzer  <ddkilzer@apple.com>
1158
1159         Fix issues with -dealloc methods found by clang static analyzer
1160         <https://webkit.org/b/185887>
1161
1162         Reviewed by Joseph Pecoraro.
1163
1164         * API/JSValue.mm:
1165         (-[JSValue dealloc]):
1166         (-[JSValue description]):
1167         - Move method implementations from (Internal) category to the
1168           main category since these are public API.  This fixes the
1169           false positive warning about a missing -dealloc method.
1170
1171 2018-05-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1172
1173         [Baseline] Remove a hack for DCE removal of NewFunction
1174         https://bugs.webkit.org/show_bug.cgi?id=185945
1175
1176         Reviewed by Saam Barati.
1177
1178         This `undefined` check in baseline is originally introduced in r177871. The problem was,
1179         when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
1180         While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
1181         retrieve this into the stack since the scope is not referenced from anywhere.
1182
1183         In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
1184         implementation. But rather than that, just emitting `Phantom` for this scope is clean
1185         and consistent to the other DFG nodes like GetClosureVar.
1186
1187         This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
1188         While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
1189         is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
1190         if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
1191         since it conservatively guards the scope, and it does not introduce any additional overhead
1192         compared to the current status.
1193
1194         * dfg/DFGByteCodeParser.cpp:
1195         (JSC::DFG::ByteCodeParser::parseBlock):
1196         * jit/JITOpcodes.cpp:
1197         (JSC::JIT::emitNewFuncExprCommon):
1198
1199 2018-05-23  Keith Miller  <keith_miller@apple.com>
1200
1201         Expose $vm if window.internals is exposed
1202         https://bugs.webkit.org/show_bug.cgi?id=185900
1203
1204         Reviewed by Mark Lam.
1205
1206         This is useful for testing vm internals when running LayoutTests.
1207
1208         * runtime/JSGlobalObject.cpp:
1209         (JSC::JSGlobalObject::init):
1210         (JSC::JSGlobalObject::visitChildren):
1211         (JSC::JSGlobalObject::exposeDollarVM):
1212         * runtime/JSGlobalObject.h:
1213
1214 2018-05-23  Keith Miller  <keith_miller@apple.com>
1215
1216         Define length on CoW array should properly convert to writable
1217         https://bugs.webkit.org/show_bug.cgi?id=185927
1218
1219         Reviewed by Yusuke Suzuki.
1220
1221         * runtime/JSArray.cpp:
1222         (JSC::JSArray::setLength):
1223
1224 2018-05-23  Keith Miller  <keith_miller@apple.com>
1225
1226         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
1227         https://bugs.webkit.org/show_bug.cgi?id=185923
1228
1229         Reviewed by Saam Barati.
1230
1231         Previously, we could confuse AI by overly broadening a type. This happens when a block in a
1232         loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
1233
1234         Block 1:
1235         @1: GetLocal(loc42, FlushedInt32);
1236         @2: PutStructure(Check: Cell: @1);
1237         @3: Jump(Block 1);
1238
1239         Would cause us to claim that loc42 could be either an int32 or a some cell. However,
1240         the type of an local cannot change without writing to it.
1241
1242         This fixes a crash in destructuring-rest-element.js
1243
1244         * dfg/DFGInPlaceAbstractState.cpp:
1245         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1246
1247 2018-05-23  Filip Pizlo  <fpizlo@apple.com>
1248
1249         Speed up JetStream/base64
1250         https://bugs.webkit.org/show_bug.cgi?id=185914
1251
1252         Reviewed by Michael Saboff.
1253         
1254         Make allocation fast paths ALWAYS_INLINE.
1255         
1256         This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
1257         ~6%.
1258
1259         * CMakeLists.txt:
1260         * JavaScriptCore.xcodeproj/project.pbxproj:
1261         * heap/AllocatorInlines.h:
1262         (JSC::Allocator::allocate const):
1263         * heap/CompleteSubspace.cpp:
1264         (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
1265         * heap/CompleteSubspace.h:
1266         * heap/CompleteSubspaceInlines.h: Added.
1267         (JSC::CompleteSubspace::allocateNonVirtual):
1268         * heap/FreeListInlines.h:
1269         (JSC::FreeList::allocate):
1270         * heap/IsoSubspace.cpp:
1271         (JSC::IsoSubspace::allocateNonVirtual): Deleted.
1272         * heap/IsoSubspace.h:
1273         (JSC::IsoSubspace::allocatorForNonVirtual):
1274         * heap/IsoSubspaceInlines.h: Added.
1275         (JSC::IsoSubspace::allocateNonVirtual):
1276         * runtime/JSCellInlines.h:
1277         * runtime/VM.h:
1278
1279 2018-05-23  Rick Waldron  <waldron.rick@gmail.com>
1280
1281         Conversion misspelled "Convertion" in error message string
1282         https://bugs.webkit.org/show_bug.cgi?id=185436
1283
1284         Reviewed by Saam Barati, Michael Saboff
1285
1286         * runtime/JSBigInt.cpp:
1287         (JSC::JSBigInt::toNumber const):
1288
1289 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1290
1291         [JSC] Clean up stringGetByValStubGenerator
1292         https://bugs.webkit.org/show_bug.cgi?id=185864
1293
1294         Reviewed by Saam Barati.
1295
1296         We clean up stringGetByValStubGenerator.
1297
1298         1. Unify 32bit and 64bit implementations.
1299         2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
1300         3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
1301         4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
1302         5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
1303
1304         * jit/JIT.h:
1305         * jit/JITPropertyAccess.cpp:
1306         (JSC::JIT::emitSlow_op_get_by_val):
1307         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1308         * jit/JITPropertyAccess32_64.cpp:
1309         (JSC::JIT::emit_op_get_by_val):
1310         (JSC::JIT::emitSlow_op_get_by_val):
1311         (JSC::JIT::stringGetByValStubGenerator): Deleted.
1312         * jit/ThunkGenerators.cpp:
1313         (JSC::stringGetByValGenerator):
1314         * jit/ThunkGenerators.h:
1315
1316 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1317
1318         [JSC] Use branchIfString/branchIfNotString instead of structure checkings
1319         https://bugs.webkit.org/show_bug.cgi?id=185810
1320
1321         Reviewed by Saam Barati.
1322
1323         Let's use branchIfString/branchIfNotString helper functions instead of
1324         checking structure with jsString's structure. It's easy to read. And
1325         it emits less code since we do not need to embed string structure's
1326         raw pointer in 32bit environment.
1327
1328         * jit/JIT.h:
1329         * jit/JITInlines.h:
1330         (JSC::JIT::emitLoadCharacterString):
1331         (JSC::JIT::checkStructure): Deleted.
1332         * jit/JITOpcodes32_64.cpp:
1333         (JSC::JIT::emitSlow_op_eq):
1334         (JSC::JIT::compileOpEqJumpSlow):
1335         (JSC::JIT::emitSlow_op_neq):
1336         * jit/JITPropertyAccess.cpp:
1337         (JSC::JIT::stringGetByValStubGenerator):
1338         (JSC::JIT::emitSlow_op_get_by_val):
1339         (JSC::JIT::emitByValIdentifierCheck):
1340         * jit/JITPropertyAccess32_64.cpp:
1341         (JSC::JIT::stringGetByValStubGenerator):
1342         (JSC::JIT::emitSlow_op_get_by_val):
1343         * jit/JSInterfaceJIT.h:
1344         (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
1345         (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
1346         * jit/SpecializedThunkJIT.h:
1347         (JSC::SpecializedThunkJIT::loadJSStringArgument):
1348         * jit/ThunkGenerators.cpp:
1349         (JSC::stringCharLoad):
1350         (JSC::charCodeAtThunkGenerator):
1351         (JSC::charAtThunkGenerator):
1352         * runtime/JSString.h:
1353
1354 2018-05-22  Mark Lam  <mark.lam@apple.com>
1355
1356         BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
1357         https://bugs.webkit.org/show_bug.cgi?id=185896
1358         <rdar://problem/40471403>
1359
1360         Reviewed by Saam Barati.
1361
1362         * bytecode/BytecodeGeneratorification.cpp:
1363         (JSC::BytecodeGeneratorification::run):
1364
1365 2018-05-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1366
1367         [JSC] Fix CachedCall's argument count if RegExp has named captures
1368         https://bugs.webkit.org/show_bug.cgi?id=185587
1369
1370         Reviewed by Mark Lam.
1371
1372         If the given RegExp has named captures, the argument count of CachedCall in String#replace
1373         should be increased by one. This causes crash with assertion in test262. This patch corrects
1374         the argument count.
1375
1376         This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
1377         the same.
1378
1379         * runtime/StringPrototype.cpp:
1380         (JSC::replaceUsingRegExpSearch):
1381
1382 2018-05-22  Mark Lam  <mark.lam@apple.com>
1383
1384         StringImpl utf8 conversion should not fail silently.
1385         https://bugs.webkit.org/show_bug.cgi?id=185888
1386         <rdar://problem/40464506>
1387
1388         Reviewed by Filip Pizlo.
1389
1390         * dfg/DFGLazyJSValue.cpp:
1391         (JSC::DFG::LazyJSValue::dumpInContext const):
1392         * runtime/DateConstructor.cpp:
1393         (JSC::constructDate):
1394         (JSC::dateParse):
1395         * runtime/JSDateMath.cpp:
1396         (JSC::parseDate):
1397         * runtime/JSDateMath.h:
1398
1399 2018-05-22  Keith Miller  <keith_miller@apple.com>
1400
1401         Remove the UnconditionalFinalizer class
1402         https://bugs.webkit.org/show_bug.cgi?id=185881
1403
1404         Reviewed by Filip Pizlo.
1405
1406         The only remaining user of this API is
1407         JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
1408         to use the newer template based API and removes the old class.
1409
1410         * JavaScriptCore.xcodeproj/project.pbxproj:
1411         * bytecode/CodeBlock.h:
1412         * heap/Heap.cpp:
1413         (JSC::Heap::finalizeUnconditionalFinalizers):
1414         * heap/Heap.h:
1415         * heap/SlotVisitor.cpp:
1416         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
1417         * heap/SlotVisitor.h:
1418         * heap/UnconditionalFinalizer.h: Removed.
1419         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1420         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1421         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1422         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
1423         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1424         * wasm/js/JSWebAssemblyCodeBlock.h:
1425         * wasm/js/JSWebAssemblyModule.h:
1426
1427         * CMakeLists.txt:
1428         * JavaScriptCore.xcodeproj/project.pbxproj:
1429         * bytecode/CodeBlock.h:
1430         * heap/Heap.cpp:
1431         (JSC::Heap::finalizeUnconditionalFinalizers):
1432         * heap/Heap.h:
1433         * heap/SlotVisitor.cpp:
1434         (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
1435         * heap/SlotVisitor.h:
1436         * heap/UnconditionalFinalizer.h: Removed.
1437         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1438         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1439         (JSC::JSWebAssemblyCodeBlock::visitChildren):
1440         (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
1441         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
1442         * wasm/js/JSWebAssemblyCodeBlock.h:
1443         * wasm/js/JSWebAssemblyModule.h:
1444
1445 2018-05-22  Keith Miller  <keith_miller@apple.com>
1446
1447         Unreviewed, fix internal build.
1448
1449         * runtime/JSImmutableButterfly.cpp:
1450
1451 2018-05-22  Saam Barati  <sbarati@apple.com>
1452
1453         DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
1454         https://bugs.webkit.org/show_bug.cgi?id=144525
1455
1456         Reviewed by Filip Pizlo.
1457
1458         This patch teaches LICM to fall back to hoisting a node's type checks when
1459         hoisting the entire node fails.
1460         
1461         This patch follow the same principles we use when deciding to hoist nodes in general:
1462         - If the pre header is control equivalent to where the current check is, we
1463         go ahead and hoist the check.
1464         - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
1465         hoist the check. If hoisting failed in the past, we will not hoist the check.
1466
1467         * dfg/DFGLICMPhase.cpp:
1468         (JSC::DFG::LICMPhase::attemptHoist):
1469         * dfg/DFGUseKind.h:
1470         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1471
1472 2018-05-21  Filip Pizlo  <fpizlo@apple.com>
1473
1474         Get rid of TLCs
1475         https://bugs.webkit.org/show_bug.cgi?id=185846
1476
1477         Rubber stamped by Geoffrey Garen.
1478         
1479         This removes support for thread-local caches from the GC in order to speed up allocation a
1480         bit.
1481         
1482         We added TLCs as part of Spectre mitigations, which we have since removed.
1483         
1484         We will want some kind of TLCs eventually, since they allow us to:
1485         
1486         - have a global GC, which may be a perf optimization at some point.
1487         - allocate objects from JIT threads, which we've been wanting to do for a while.
1488         
1489         This change keeps the most interesting aspect of TLCs, which is the
1490         LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
1491         TLCs again in the future if we wanted this feature.
1492         
1493         This change removes the part of TLCs that causes a perf regression, namely that Allocator is
1494         an offset that requires a bounds check and lookup that makes the rest of the allocation fast
1495         path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
1496         you can directly use it to allocate. This removes two loads and a check from the allocation
1497         fast path. In hindsight, I probably could have made that whole thing more efficient, had I
1498         allowed us to have a statically known set of LocalAllocators. This would have removed the
1499         bounds check (one load and one branch) and it would have made it possible to CSE the load of
1500         the TLC data structure, since that would no longer resize. But that's a harder change that
1501         this patch, and we don't need it right now.
1502         
1503         While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
1504         to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
1505         that check already. Previously, the TLC bounds check doubled as this check.
1506         
1507         This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
1508         speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
1509         speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
1510         is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
1511
1512         * JavaScriptCore.xcodeproj/project.pbxproj:
1513         * Sources.txt:
1514         * bytecode/ObjectAllocationProfileInlines.h:
1515         (JSC::ObjectAllocationProfile::initializeProfile):
1516         * dfg/DFGSpeculativeJIT.cpp:
1517         (JSC::DFG::SpeculativeJIT::compileCreateThis):
1518         * ftl/FTLLowerDFGToB3.cpp:
1519         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1520         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1521         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1522         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
1523         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1524         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1525         * heap/Allocator.cpp:
1526         (JSC::Allocator::cellSize const):
1527         * heap/Allocator.h:
1528         (JSC::Allocator::Allocator):
1529         (JSC::Allocator::localAllocator const):
1530         (JSC::Allocator::operator== const):
1531         (JSC::Allocator::offset const): Deleted.
1532         * heap/AllocatorInlines.h:
1533         (JSC::Allocator::allocate const):
1534         (JSC::Allocator::tryAllocate const): Deleted.
1535         * heap/BlockDirectory.cpp:
1536         (JSC::BlockDirectory::BlockDirectory):
1537         (JSC::BlockDirectory::~BlockDirectory):
1538         * heap/BlockDirectory.h:
1539         (JSC::BlockDirectory::allocator const): Deleted.
1540         * heap/CompleteSubspace.cpp:
1541         (JSC::CompleteSubspace::allocateNonVirtual):
1542         (JSC::CompleteSubspace::allocatorForSlow):
1543         (JSC::CompleteSubspace::tryAllocateSlow):
1544         * heap/CompleteSubspace.h:
1545         * heap/Heap.cpp:
1546         (JSC::Heap::Heap):
1547         * heap/Heap.h:
1548         (JSC::Heap::threadLocalCacheLayout): Deleted.
1549         * heap/IsoSubspace.cpp:
1550         (JSC::IsoSubspace::IsoSubspace):
1551         (JSC::IsoSubspace::allocateNonVirtual):
1552         * heap/IsoSubspace.h:
1553         (JSC::IsoSubspace::allocatorForNonVirtual):
1554         * heap/LocalAllocator.cpp:
1555         (JSC::LocalAllocator::LocalAllocator):
1556         (JSC::LocalAllocator::~LocalAllocator):
1557         * heap/LocalAllocator.h:
1558         (JSC::LocalAllocator::cellSize const):
1559         (JSC::LocalAllocator::tlc const): Deleted.
1560         * heap/ThreadLocalCache.cpp: Removed.
1561         * heap/ThreadLocalCache.h: Removed.
1562         * heap/ThreadLocalCacheInlines.h: Removed.
1563         * heap/ThreadLocalCacheLayout.cpp: Removed.
1564         * heap/ThreadLocalCacheLayout.h: Removed.
1565         * jit/AssemblyHelpers.cpp:
1566         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1567         (JSC::AssemblyHelpers::emitAllocate):
1568         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1569         * jit/JITOpcodes.cpp:
1570         (JSC::JIT::emit_op_create_this):
1571         * runtime/JSLock.cpp:
1572         (JSC::JSLock::didAcquireLock):
1573         * runtime/VM.cpp:
1574         (JSC::VM::VM):
1575         (JSC::VM::~VM):
1576         * runtime/VM.h:
1577         * runtime/VMEntryScope.cpp:
1578         (JSC::VMEntryScope::~VMEntryScope):
1579         * runtime/VMEntryScope.h:
1580
1581 2018-05-22  Keith Miller  <keith_miller@apple.com>
1582
1583         We should have a CoW storage for NewArrayBuffer arrays.
1584         https://bugs.webkit.org/show_bug.cgi?id=185003
1585
1586         Reviewed by Filip Pizlo.
1587
1588         This patch adds copy on write storage for new array buffers. In
1589         order to do this there needed to be significant changes to the
1590         layout of IndexingType. The new indexing type has the following
1591         shape:
1592
1593         struct IndexingTypeAndMisc {
1594             struct IndexingModeIncludingHistory {
1595                 struct IndexingMode {
1596                     struct IndexingType {
1597                         uint8_t isArray:1;          // bit 0
1598                         uint8_t shape:3;            // bit 1 - 3
1599                     };
1600                     uint8_t copyOnWrite:1;          // bit 4
1601                 };
1602                 uint8_t mayHaveIndexedAccessors:1;  // bit 5
1603             };
1604             uint8_t cellLockBits:2;                 // bit 6 - 7
1605         };
1606
1607         For simplicity ArrayStorage shapes cannot be CoW. So the only
1608         valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
1609         ArrayWithContiguous.
1610
1611         The backing store for a CoW array is a new class
1612         JSImmutableButterfly, which looks exactly the same as a normal
1613         butterfly except that it has a JSCell header. Like other
1614         butterflies, JSImmutableButterfies are allocated out of the
1615         Auxiliary Gigacage and are pointed to by JSCells in the same
1616         way. However, when marking JSImmutableButterflies they are marked
1617         as if they were a property.
1618
1619         With CoW arrays, the new_array_buffer bytecode will reallocate the
1620         shared JSImmutableButterfly if it sees from the allocation profile
1621         that the last array it allocated has transitioned to a different
1622         indexing type. From then on, all arrays created by that
1623         new_array_buffer bytecode will have the promoted indexing
1624         type. This is more or less the same as what we used to do. The
1625         only difference is that we don't promote all the way to array
1626         storage even if we have seen it before.
1627
1628         Transitioning from a CoW indexing mode occurs whenever someone
1629         tries to store to an element, grow the array, or add properties.
1630         Storing or growing the array will call into code that does the
1631         stupid thing of copying the butterfly then continue into the old
1632         code. This doesn't end up costing us as future allocations will
1633         use any upgraded indexing shape.  We get adding properties for
1634         free by just changing the indexing mode on transition (our C++
1635         code always updates the indexing mode).
1636
1637         * JavaScriptCore.xcodeproj/project.pbxproj:
1638         * Sources.txt:
1639         * bytecode/ArrayAllocationProfile.cpp:
1640         (JSC::ArrayAllocationProfile::updateProfile):
1641         * bytecode/ArrayAllocationProfile.h:
1642         (JSC::ArrayAllocationProfile::initializeIndexingMode):
1643         * bytecode/ArrayProfile.cpp:
1644         (JSC::dumpArrayModes):
1645         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1646         * bytecode/ArrayProfile.h:
1647         (JSC::asArrayModes):
1648         (JSC::arrayModeFromStructure):
1649         (JSC::arrayModesInclude):
1650         (JSC::hasSeenCopyOnWriteArray):
1651         * bytecode/BytecodeList.json:
1652         * bytecode/CodeBlock.cpp:
1653         (JSC::CodeBlock::finishCreation):
1654         * bytecode/InlineAccess.cpp:
1655         (JSC::InlineAccess::generateArrayLength):
1656         * bytecode/UnlinkedCodeBlock.h:
1657         (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
1658         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1659         * bytecompiler/BytecodeGenerator.cpp:
1660         (JSC::BytecodeGenerator::newArrayAllocationProfile):
1661         (JSC::BytecodeGenerator::emitNewArrayBuffer):
1662         (JSC::BytecodeGenerator::emitNewArray):
1663         (JSC::BytecodeGenerator::emitNewArrayWithSize):
1664         (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1665         * bytecompiler/BytecodeGenerator.h:
1666         * bytecompiler/NodesCodegen.cpp:
1667         (JSC::ArrayNode::emitBytecode):
1668         (JSC::ArrayPatternNode::bindValue const):
1669         (JSC::ArrayPatternNode::emitDirectBinding):
1670         * dfg/DFGAbstractInterpreterInlines.h:
1671         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1672         * dfg/DFGArgumentsEliminationPhase.cpp:
1673         * dfg/DFGArgumentsUtilities.cpp:
1674         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
1675         * dfg/DFGArrayMode.cpp:
1676         (JSC::DFG::ArrayMode::fromObserved):
1677         (JSC::DFG::ArrayMode::refine const):
1678         (JSC::DFG::ArrayMode::alreadyChecked const):
1679         * dfg/DFGArrayMode.h:
1680         (JSC::DFG::ArrayMode::ArrayMode):
1681         (JSC::DFG::ArrayMode::action const):
1682         (JSC::DFG::ArrayMode::withSpeculation const):
1683         (JSC::DFG::ArrayMode::withArrayClass const):
1684         (JSC::DFG::ArrayMode::withType const):
1685         (JSC::DFG::ArrayMode::withConversion const):
1686         (JSC::DFG::ArrayMode::withTypeAndConversion const):
1687         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1688         (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
1689         * dfg/DFGByteCodeParser.cpp:
1690         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1691         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
1692         (JSC::DFG::ByteCodeParser::parseBlock):
1693         * dfg/DFGClobberize.h:
1694         (JSC::DFG::clobberize):
1695         * dfg/DFGConstantFoldingPhase.cpp:
1696         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1697         * dfg/DFGFixupPhase.cpp:
1698         (JSC::DFG::FixupPhase::fixupNode):
1699         (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
1700         (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
1701         * dfg/DFGGraph.cpp:
1702         (JSC::DFG::Graph::dump):
1703         * dfg/DFGNode.h:
1704         (JSC::DFG::Node::indexingType):
1705         (JSC::DFG::Node::indexingMode):
1706         * dfg/DFGOSRExit.cpp:
1707         (JSC::DFG::OSRExit::compileExit):
1708         * dfg/DFGOperations.cpp:
1709         * dfg/DFGOperations.h:
1710         * dfg/DFGSpeculativeJIT.cpp:
1711         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1712         (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1713         (JSC::DFG::SpeculativeJIT::arrayify):
1714         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1715         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1716         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1717         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1718         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1719         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1720         (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
1721         * dfg/DFGSpeculativeJIT32_64.cpp:
1722         (JSC::DFG::SpeculativeJIT::compile):
1723         * dfg/DFGSpeculativeJIT64.cpp:
1724         (JSC::DFG::SpeculativeJIT::compile):
1725         * dfg/DFGValidate.cpp:
1726         * ftl/FTLAbstractHeapRepository.h:
1727         * ftl/FTLLowerDFGToB3.cpp:
1728         (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
1729         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1730         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1731         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1732         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1733         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
1734         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
1735         (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
1736         * ftl/FTLOperations.cpp:
1737         (JSC::FTL::operationMaterializeObjectInOSR):
1738         * generate-bytecode-files:
1739         * interpreter/Interpreter.cpp:
1740         (JSC::sizeOfVarargs):
1741         (JSC::loadVarargs):
1742         * jit/AssemblyHelpers.cpp:
1743         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1744         * jit/AssemblyHelpers.h:
1745         (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
1746         * jit/JITOperations.cpp:
1747         * jit/JITPropertyAccess.cpp:
1748         (JSC::JIT::emit_op_put_by_val):
1749         (JSC::JIT::emitSlow_op_put_by_val):
1750         * jit/Repatch.cpp:
1751         (JSC::tryCachePutByID):
1752         * llint/LowLevelInterpreter.asm:
1753         * llint/LowLevelInterpreter32_64.asm:
1754         * llint/LowLevelInterpreter64.asm:
1755         * runtime/Butterfly.h:
1756         (JSC::ContiguousData::Data::Data):
1757         (JSC::ContiguousData::Data::operator bool const):
1758         (JSC::ContiguousData::Data::operator=):
1759         (JSC::ContiguousData::Data::operator const T& const):
1760         (JSC::ContiguousData::Data::set):
1761         (JSC::ContiguousData::Data::setWithoutWriteBarrier):
1762         (JSC::ContiguousData::Data::clear):
1763         (JSC::ContiguousData::Data::get const):
1764         (JSC::ContiguousData::atUnsafe):
1765         (JSC::ContiguousData::at const): Deleted.
1766         (JSC::ContiguousData::at): Deleted.
1767         * runtime/ButterflyInlines.h:
1768         (JSC::ContiguousData<T>::at const):
1769         (JSC::ContiguousData<T>::at):
1770         * runtime/ClonedArguments.cpp:
1771         (JSC::ClonedArguments::createEmpty):
1772         * runtime/CommonSlowPaths.cpp:
1773         (JSC::SLOW_PATH_DECL):
1774         * runtime/CommonSlowPaths.h:
1775         (JSC::CommonSlowPaths::allocateNewArrayBuffer):
1776         * runtime/IndexingType.cpp:
1777         (JSC::leastUpperBoundOfIndexingTypeAndType):
1778         (JSC::leastUpperBoundOfIndexingTypeAndValue):
1779         (JSC::dumpIndexingType):
1780         * runtime/IndexingType.h:
1781         (JSC::hasIndexedProperties):
1782         (JSC::hasUndecided):
1783         (JSC::hasInt32):
1784         (JSC::hasDouble):
1785         (JSC::hasContiguous):
1786         (JSC::hasArrayStorage):
1787         (JSC::hasAnyArrayStorage):
1788         (JSC::hasSlowPutArrayStorage):
1789         (JSC::shouldUseSlowPut):
1790         (JSC::isCopyOnWrite):
1791         (JSC::arrayIndexFromIndexingType):
1792         * runtime/JSArray.cpp:
1793         (JSC::JSArray::tryCreateUninitializedRestricted):
1794         (JSC::JSArray::put):
1795         (JSC::JSArray::appendMemcpy):
1796         (JSC::JSArray::setLength):
1797         (JSC::JSArray::pop):
1798         (JSC::JSArray::fastSlice):
1799         (JSC::JSArray::shiftCountWithAnyIndexingType):
1800         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1801         (JSC::JSArray::fillArgList):
1802         (JSC::JSArray::copyToArguments):
1803         * runtime/JSArrayInlines.h:
1804         (JSC::JSArray::pushInline):
1805         * runtime/JSCell.h:
1806         * runtime/JSCellInlines.h:
1807         (JSC::JSCell::JSCell):
1808         (JSC::JSCell::finishCreation):
1809         (JSC::JSCell::indexingType const):
1810         (JSC::JSCell::indexingMode const):
1811         (JSC::JSCell::setStructure):
1812         * runtime/JSFixedArray.h:
1813         * runtime/JSGlobalObject.cpp:
1814         (JSC::JSGlobalObject::init):
1815         (JSC::JSGlobalObject::haveABadTime):
1816         (JSC::JSGlobalObject::visitChildren):
1817         * runtime/JSGlobalObject.h:
1818         (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
1819         (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
1820         (JSC::JSGlobalObject::isOriginalArrayStructure):
1821         * runtime/JSImmutableButterfly.cpp: Added.
1822         (JSC::JSImmutableButterfly::visitChildren):
1823         (JSC::JSImmutableButterfly::copyToArguments):
1824         * runtime/JSImmutableButterfly.h: Added.
1825         (JSC::JSImmutableButterfly::createStructure):
1826         (JSC::JSImmutableButterfly::tryCreate):
1827         (JSC::JSImmutableButterfly::create):
1828         (JSC::JSImmutableButterfly::publicLength const):
1829         (JSC::JSImmutableButterfly::vectorLength const):
1830         (JSC::JSImmutableButterfly::length const):
1831         (JSC::JSImmutableButterfly::toButterfly const):
1832         (JSC::JSImmutableButterfly::fromButterfly):
1833         (JSC::JSImmutableButterfly::get const):
1834         (JSC::JSImmutableButterfly::subspaceFor):
1835         (JSC::JSImmutableButterfly::setIndex):
1836         (JSC::JSImmutableButterfly::allocationSize):
1837         (JSC::JSImmutableButterfly::JSImmutableButterfly):
1838         * runtime/JSObject.cpp:
1839         (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
1840         (JSC::JSObject::visitButterflyImpl):
1841         (JSC::JSObject::getOwnPropertySlotByIndex):
1842         (JSC::JSObject::putByIndex):
1843         (JSC::JSObject::createInitialInt32):
1844         (JSC::JSObject::createInitialDouble):
1845         (JSC::JSObject::createInitialContiguous):
1846         (JSC::JSObject::convertUndecidedToInt32):
1847         (JSC::JSObject::convertUndecidedToDouble):
1848         (JSC::JSObject::convertUndecidedToContiguous):
1849         (JSC::JSObject::convertInt32ToDouble):
1850         (JSC::JSObject::convertInt32ToArrayStorage):
1851         (JSC::JSObject::convertDoubleToContiguous):
1852         (JSC::JSObject::convertDoubleToArrayStorage):
1853         (JSC::JSObject::convertContiguousToArrayStorage):
1854         (JSC::JSObject::createInitialForValueAndSet):
1855         (JSC::JSObject::convertInt32ForValue):
1856         (JSC::JSObject::convertFromCopyOnWrite):
1857         (JSC::JSObject::ensureWritableInt32Slow):
1858         (JSC::JSObject::ensureWritableDoubleSlow):
1859         (JSC::JSObject::ensureWritableContiguousSlow):
1860         (JSC::JSObject::ensureArrayStorageSlow):
1861         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1862         (JSC::JSObject::switchToSlowPutArrayStorage):
1863         (JSC::JSObject::deletePropertyByIndex):
1864         (JSC::JSObject::getOwnPropertyNames):
1865         (JSC::canDoFastPutDirectIndex):
1866         (JSC::JSObject::defineOwnIndexedProperty):
1867         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1868         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1869         (JSC::JSObject::putByIndexBeyondVectorLength):
1870         (JSC::JSObject::countElements):
1871         (JSC::JSObject::ensureLengthSlow):
1872         (JSC::JSObject::getEnumerableLength):
1873         (JSC::JSObject::ensureInt32Slow): Deleted.
1874         (JSC::JSObject::ensureDoubleSlow): Deleted.
1875         (JSC::JSObject::ensureContiguousSlow): Deleted.
1876         * runtime/JSObject.h:
1877         (JSC::JSObject::putDirectIndex):
1878         (JSC::JSObject::canGetIndexQuickly):
1879         (JSC::JSObject::getIndexQuickly):
1880         (JSC::JSObject::tryGetIndexQuickly const):
1881         (JSC::JSObject::canSetIndexQuickly):
1882         (JSC::JSObject::setIndexQuickly):
1883         (JSC::JSObject::initializeIndex):
1884         (JSC::JSObject::initializeIndexWithoutBarrier):
1885         (JSC::JSObject::ensureWritableInt32):
1886         (JSC::JSObject::ensureWritableDouble):
1887         (JSC::JSObject::ensureWritableContiguous):
1888         (JSC::JSObject::ensureLength):
1889         (JSC::JSObject::ensureInt32): Deleted.
1890         (JSC::JSObject::ensureDouble): Deleted.
1891         (JSC::JSObject::ensureContiguous): Deleted.
1892         * runtime/JSObjectInlines.h:
1893         (JSC::JSObject::putDirectInternal):
1894         * runtime/JSType.h:
1895         * runtime/RegExpMatchesArray.h:
1896         (JSC::tryCreateUninitializedRegExpMatchesArray):
1897         * runtime/Structure.cpp:
1898         (JSC::Structure::Structure):
1899         (JSC::Structure::addNewPropertyTransition):
1900         (JSC::Structure::nonPropertyTransition):
1901         * runtime/Structure.h:
1902         * runtime/StructureIDBlob.h:
1903         (JSC::StructureIDBlob::StructureIDBlob):
1904         (JSC::StructureIDBlob::indexingModeIncludingHistory const):
1905         (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
1906         (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
1907         (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
1908         (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
1909         (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
1910         * runtime/StructureTransitionTable.h:
1911         (JSC::newIndexingType):
1912         * runtime/VM.cpp:
1913         (JSC::VM::VM):
1914         * runtime/VM.h:
1915
1916 2018-05-22  Ryan Haddad  <ryanhaddad@apple.com>
1917
1918         Unreviewed, rolling out r232052.
1919
1920         Breaks internal builds.
1921
1922         Reverted changeset:
1923
1924         "Use more C++17"
1925         https://bugs.webkit.org/show_bug.cgi?id=185176
1926         https://trac.webkit.org/changeset/232052
1927
1928 2018-05-22  Alberto Garcia  <berto@igalia.com>
1929
1930         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
1931         https://bugs.webkit.org/show_bug.cgi?id=182622
1932         <rdar://problem/40292317>
1933
1934         Reviewed by Michael Catanzaro.
1935
1936         We were linking JavaScriptCore against libatomic in MIPS because
1937         in that architecture __atomic_fetch_add_8() is not a compiler
1938         intrinsic and is provided by that library instead. However other
1939         architectures (e.g armel) are in the same situation, so we need a
1940         generic test.
1941
1942         That test already exists in WebKit/CMakeLists.txt, so we just have
1943         to move it to a common file (WebKitCompilerFlags.cmake) and use
1944         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
1945
1946         * CMakeLists.txt:
1947
1948 2018-05-22  Michael Catanzaro  <mcatanzaro@igalia.com>
1949
1950         Unreviewed, rolling out r231843.
1951
1952         Broke cross build
1953
1954         Reverted changeset:
1955
1956         "[CMake] Properly detect compiler flags, needed libs, and
1957         fallbacks for usage of 64-bit atomic operations"
1958         https://bugs.webkit.org/show_bug.cgi?id=182622
1959         https://trac.webkit.org/changeset/231843
1960
1961 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1962
1963         Use more C++17
1964         https://bugs.webkit.org/show_bug.cgi?id=185176
1965
1966         Reviewed by JF Bastien.
1967
1968         * Configurations/Base.xcconfig:
1969
1970 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1971
1972         [JSC] Remove duplicate methods in JSInterfaceJIT
1973         https://bugs.webkit.org/show_bug.cgi?id=185813
1974
1975         Reviewed by Saam Barati.
1976
1977         Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
1978         This patch removes these ones and use AssemblyHelpers' ones instead.
1979
1980         This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
1981
1982         * jit/AssemblyHelpers.h:
1983         (JSC::AssemblyHelpers::tagFor):
1984         (JSC::AssemblyHelpers::payloadFor):
1985         * jit/JIT.h:
1986         * jit/JITArithmetic.cpp:
1987         (JSC::JIT::emit_op_unsigned):
1988         (JSC::JIT::emit_compareUnsigned):
1989         (JSC::JIT::emit_op_inc):
1990         (JSC::JIT::emit_op_dec):
1991         (JSC::JIT::emit_op_mod):
1992         * jit/JITCall32_64.cpp:
1993         (JSC::JIT::compileOpCall):
1994         * jit/JITInlines.h:
1995         (JSC::JIT::emitPutIntToCallFrameHeader):
1996         (JSC::JIT::updateTopCallFrame):
1997         (JSC::JIT::emitInitRegister):
1998         (JSC::JIT::emitLoad):
1999         (JSC::JIT::emitStore):
2000         (JSC::JIT::emitStoreInt32):
2001         (JSC::JIT::emitStoreCell):
2002         (JSC::JIT::emitStoreBool):
2003         (JSC::JIT::emitGetVirtualRegister):
2004         (JSC::JIT::emitPutVirtualRegister):
2005         (JSC::JIT::emitTagBool): Deleted.
2006         * jit/JITOpcodes.cpp:
2007         (JSC::JIT::emit_op_overrides_has_instance):
2008         (JSC::JIT::emit_op_is_empty):
2009         (JSC::JIT::emit_op_is_undefined):
2010         (JSC::JIT::emit_op_is_boolean):
2011         (JSC::JIT::emit_op_is_number):
2012         (JSC::JIT::emit_op_is_cell_with_type):
2013         (JSC::JIT::emit_op_is_object):
2014         (JSC::JIT::emit_op_eq):
2015         (JSC::JIT::emit_op_neq):
2016         (JSC::JIT::compileOpStrictEq):
2017         (JSC::JIT::emit_op_eq_null):
2018         (JSC::JIT::emit_op_neq_null):
2019         (JSC::JIT::emitSlow_op_eq):
2020         (JSC::JIT::emitSlow_op_neq):
2021         (JSC::JIT::emitSlow_op_instanceof_custom):
2022         (JSC::JIT::emitNewFuncExprCommon):
2023         * jit/JSInterfaceJIT.h:
2024         (JSC::JSInterfaceJIT::emitLoadInt32):
2025         (JSC::JSInterfaceJIT::emitLoadDouble):
2026         (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
2027         (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
2028         (JSC::JSInterfaceJIT::tagFor): Deleted.
2029         (JSC::JSInterfaceJIT::payloadFor): Deleted.
2030         (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
2031         (JSC::JSInterfaceJIT::intTagFor): Deleted.
2032         (JSC::JSInterfaceJIT::emitTagInt): Deleted.
2033         (JSC::JSInterfaceJIT::addressFor): Deleted.
2034         * jit/SpecializedThunkJIT.h:
2035         (JSC::SpecializedThunkJIT::returnDouble):
2036         * jit/ThunkGenerators.cpp:
2037         (JSC::nativeForGenerator):
2038         (JSC::arityFixupGenerator):
2039
2040 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2041
2042         Unreviewed, reland InById cache
2043         https://bugs.webkit.org/show_bug.cgi?id=185682
2044
2045         Includes Dominik's 32bit fix.
2046
2047         * bytecode/AccessCase.cpp:
2048         (JSC::AccessCase::fromStructureStubInfo):
2049         (JSC::AccessCase::generateWithGuard):
2050         (JSC::AccessCase::generateImpl):
2051         * bytecode/BytecodeDumper.cpp:
2052         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2053         (JSC::BytecodeDumper<Block>::dumpBytecode):
2054         * bytecode/BytecodeDumper.h:
2055         * bytecode/BytecodeList.json:
2056         * bytecode/BytecodeUseDef.h:
2057         (JSC::computeUsesForBytecodeOffset):
2058         (JSC::computeDefsForBytecodeOffset):
2059         * bytecode/CodeBlock.cpp:
2060         (JSC::CodeBlock::finishCreation):
2061         * bytecode/InlineAccess.cpp:
2062         (JSC::InlineAccess::generateSelfInAccess):
2063         * bytecode/InlineAccess.h:
2064         * bytecode/StructureStubInfo.cpp:
2065         (JSC::StructureStubInfo::initInByIdSelf):
2066         (JSC::StructureStubInfo::deref):
2067         (JSC::StructureStubInfo::aboutToDie):
2068         (JSC::StructureStubInfo::reset):
2069         (JSC::StructureStubInfo::visitWeakReferences):
2070         (JSC::StructureStubInfo::propagateTransitions):
2071         * bytecode/StructureStubInfo.h:
2072         (JSC::StructureStubInfo::patchableJump):
2073         * bytecompiler/BytecodeGenerator.cpp:
2074         (JSC::BytecodeGenerator::emitInByVal):
2075         (JSC::BytecodeGenerator::emitInById):
2076         (JSC::BytecodeGenerator::emitIn): Deleted.
2077         * bytecompiler/BytecodeGenerator.h:
2078         * bytecompiler/NodesCodegen.cpp:
2079         (JSC::InNode::emitBytecode):
2080         * dfg/DFGAbstractInterpreterInlines.h:
2081         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2082         * dfg/DFGByteCodeParser.cpp:
2083         (JSC::DFG::ByteCodeParser::parseBlock):
2084         * dfg/DFGCapabilities.cpp:
2085         (JSC::DFG::capabilityLevel):
2086         * dfg/DFGClobberize.h:
2087         (JSC::DFG::clobberize):
2088         * dfg/DFGConstantFoldingPhase.cpp:
2089         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2090         * dfg/DFGDoesGC.cpp:
2091         (JSC::DFG::doesGC):
2092         * dfg/DFGFixupPhase.cpp:
2093         (JSC::DFG::FixupPhase::fixupNode):
2094         * dfg/DFGJITCompiler.cpp:
2095         (JSC::DFG::JITCompiler::link):
2096         * dfg/DFGJITCompiler.h:
2097         (JSC::DFG::JITCompiler::addInById):
2098         (JSC::DFG::InRecord::InRecord): Deleted.
2099         (JSC::DFG::JITCompiler::addIn): Deleted.
2100         * dfg/DFGNode.h:
2101         (JSC::DFG::Node::convertToInById):
2102         (JSC::DFG::Node::hasIdentifier):
2103         (JSC::DFG::Node::hasArrayMode):
2104         * dfg/DFGNodeType.h:
2105         * dfg/DFGPredictionPropagationPhase.cpp:
2106         * dfg/DFGSafeToExecute.h:
2107         (JSC::DFG::safeToExecute):
2108         * dfg/DFGSpeculativeJIT.cpp:
2109         (JSC::DFG::SpeculativeJIT::compileInById):
2110         (JSC::DFG::SpeculativeJIT::compileInByVal):
2111         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2112         * dfg/DFGSpeculativeJIT.h:
2113         * dfg/DFGSpeculativeJIT32_64.cpp:
2114         (JSC::DFG::SpeculativeJIT::compile):
2115         * dfg/DFGSpeculativeJIT64.cpp:
2116         (JSC::DFG::SpeculativeJIT::compile):
2117         * ftl/FTLCapabilities.cpp:
2118         (JSC::FTL::canCompile):
2119         * ftl/FTLLowerDFGToB3.cpp:
2120         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2121         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2122         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2123         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2124         * jit/AssemblyHelpers.h:
2125         (JSC::AssemblyHelpers::boxBoolean):
2126         * jit/ICStats.h:
2127         * jit/JIT.cpp:
2128         (JSC::JIT::JIT):
2129         (JSC::JIT::privateCompileMainPass):
2130         (JSC::JIT::privateCompileSlowCases):
2131         (JSC::JIT::link):
2132         * jit/JIT.h:
2133         * jit/JITInlineCacheGenerator.cpp:
2134         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2135         (JSC::JITInByIdGenerator::generateFastPath):
2136         * jit/JITInlineCacheGenerator.h:
2137         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2138         * jit/JITOperations.cpp:
2139         * jit/JITOperations.h:
2140         * jit/JITPropertyAccess.cpp:
2141         (JSC::JIT::emit_op_in_by_id):
2142         (JSC::JIT::emitSlow_op_in_by_id):
2143         * jit/JITPropertyAccess32_64.cpp:
2144         (JSC::JIT::emit_op_in_by_id):
2145         (JSC::JIT::emitSlow_op_in_by_id):
2146         * jit/Repatch.cpp:
2147         (JSC::tryCacheInByID):
2148         (JSC::repatchInByID):
2149         (JSC::resetInByID):
2150         (JSC::tryCacheIn): Deleted.
2151         (JSC::repatchIn): Deleted.
2152         (JSC::resetIn): Deleted.
2153         * jit/Repatch.h:
2154         * llint/LowLevelInterpreter.asm:
2155         * llint/LowLevelInterpreter64.asm:
2156         * parser/NodeConstructors.h:
2157         (JSC::InNode::InNode):
2158         * runtime/CommonSlowPaths.cpp:
2159         (JSC::SLOW_PATH_DECL):
2160         * runtime/CommonSlowPaths.h:
2161         (JSC::CommonSlowPaths::opInByVal):
2162         (JSC::CommonSlowPaths::opIn): Deleted.
2163
2164 2018-05-21  Commit Queue  <commit-queue@webkit.org>
2165
2166         Unreviewed, rolling out r231998 and r232017.
2167         https://bugs.webkit.org/show_bug.cgi?id=185842
2168
2169         causes crashes on 32 JSC bot (Requested by realdawei on
2170         #webkit).
2171
2172         Reverted changesets:
2173
2174         "[JSC] JSC should have consistent InById IC"
2175         https://bugs.webkit.org/show_bug.cgi?id=185682
2176         https://trac.webkit.org/changeset/231998
2177
2178         "Unreviewed, fix 32bit and scope release"
2179         https://bugs.webkit.org/show_bug.cgi?id=185682
2180         https://trac.webkit.org/changeset/232017
2181
2182 2018-05-21  Jer Noble  <jer.noble@apple.com>
2183
2184         Complete fix for enabling modern EME by default
2185         https://bugs.webkit.org/show_bug.cgi?id=185770
2186         <rdar://problem/40368220>
2187
2188         Reviewed by Eric Carlson.
2189
2190         * Configurations/FeatureDefines.xcconfig:
2191
2192 2018-05-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2193
2194         Unreviewed, fix 32bit and scope release
2195         https://bugs.webkit.org/show_bug.cgi?id=185682
2196
2197         * jit/JITOperations.cpp:
2198         * jit/JITPropertyAccess32_64.cpp:
2199         (JSC::JIT::emitSlow_op_in_by_id):
2200
2201 2018-05-20  Filip Pizlo  <fpizlo@apple.com>
2202
2203         Revert the B3 compiler pipeline's treatment of taildup
2204         https://bugs.webkit.org/show_bug.cgi?id=185808
2205
2206         Reviewed by Yusuke Suzuki.
2207         
2208         While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
2209         But then path specialization turned out to be a negative result. This reverts the pipeline to the
2210         way it was before that work.
2211         
2212         1.5% progression on V8Spider-CompileTime.
2213
2214         * b3/B3Generate.cpp:
2215         (JSC::B3::generateToAir):
2216
2217 2018-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2218
2219         [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
2220         https://bugs.webkit.org/show_bug.cgi?id=185802
2221
2222         Reviewed by Saam Barati.
2223
2224         * dfg/DFGConstantFoldingPhase.cpp:
2225         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2226
2227 2018-05-18  Filip Pizlo  <fpizlo@apple.com>
2228
2229         DFG should inline InstanceOf ICs
2230         https://bugs.webkit.org/show_bug.cgi?id=185695
2231
2232         Reviewed by Yusuke Suzuki.
2233         
2234         This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
2235         be folded to a CheckStructure + JSConstant.
2236         
2237         In the process of testing this, I found a bug where LICM was not hoisting things that
2238         depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
2239         LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
2240         
2241         This is a ~5% speed-up on boyer.
2242         
2243         ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
2244         instanceof-sometimes-hit microbenchmarks.
2245
2246         * JavaScriptCore.xcodeproj/project.pbxproj:
2247         * Sources.txt:
2248         * bytecode/GetByIdStatus.cpp:
2249         (JSC::GetByIdStatus::appendVariant):
2250         (JSC::GetByIdStatus::filter):
2251         * bytecode/GetByIdStatus.h:
2252         (JSC::GetByIdStatus::operator bool const):
2253         (JSC::GetByIdStatus::operator! const): Deleted.
2254         * bytecode/GetByIdVariant.h:
2255         (JSC::GetByIdVariant::operator bool const):
2256         (JSC::GetByIdVariant::operator! const): Deleted.
2257         * bytecode/ICStatusUtils.h: Added.
2258         (JSC::appendICStatusVariant):
2259         (JSC::filterICStatusVariants):
2260         * bytecode/InstanceOfStatus.cpp: Added.
2261         (JSC::InstanceOfStatus::appendVariant):
2262         (JSC::InstanceOfStatus::computeFor):
2263         (JSC::InstanceOfStatus::computeForStubInfo):
2264         (JSC::InstanceOfStatus::commonPrototype const):
2265         (JSC::InstanceOfStatus::filter):
2266         * bytecode/InstanceOfStatus.h: Added.
2267         (JSC::InstanceOfStatus::InstanceOfStatus):
2268         (JSC::InstanceOfStatus::state const):
2269         (JSC::InstanceOfStatus::isSet const):
2270         (JSC::InstanceOfStatus::operator bool const):
2271         (JSC::InstanceOfStatus::isSimple const):
2272         (JSC::InstanceOfStatus::takesSlowPath const):
2273         (JSC::InstanceOfStatus::numVariants const):
2274         (JSC::InstanceOfStatus::variants const):
2275         (JSC::InstanceOfStatus::at const):
2276         (JSC::InstanceOfStatus::operator[] const):
2277         * bytecode/InstanceOfVariant.cpp: Added.
2278         (JSC::InstanceOfVariant::InstanceOfVariant):
2279         (JSC::InstanceOfVariant::attemptToMerge):
2280         (JSC::InstanceOfVariant::dump const):
2281         (JSC::InstanceOfVariant::dumpInContext const):
2282         * bytecode/InstanceOfVariant.h: Added.
2283         (JSC::InstanceOfVariant::InstanceOfVariant):
2284         (JSC::InstanceOfVariant::operator bool const):
2285         (JSC::InstanceOfVariant::structureSet const):
2286         (JSC::InstanceOfVariant::structureSet):
2287         (JSC::InstanceOfVariant::conditionSet const):
2288         (JSC::InstanceOfVariant::prototype const):
2289         (JSC::InstanceOfVariant::isHit const):
2290         * bytecode/StructureStubInfo.cpp:
2291         (JSC::StructureStubInfo::StructureStubInfo):
2292         * bytecode/StructureStubInfo.h:
2293         (JSC::StructureStubInfo::considerCaching):
2294         * dfg/DFGAbstractInterpreterInlines.h:
2295         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2296         * dfg/DFGByteCodeParser.cpp:
2297         (JSC::DFG::ByteCodeParser::parseBlock):
2298         * dfg/DFGClobberize.h:
2299         (JSC::DFG::clobberize):
2300         * dfg/DFGConstantFoldingPhase.cpp:
2301         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2302         * dfg/DFGDoesGC.cpp:
2303         (JSC::DFG::doesGC):
2304         * dfg/DFGFixupPhase.cpp:
2305         (JSC::DFG::FixupPhase::fixupNode):
2306         * dfg/DFGGraph.cpp:
2307         (JSC::DFG::Graph::dump):
2308         * dfg/DFGGraph.h:
2309         * dfg/DFGLICMPhase.cpp:
2310         (JSC::DFG::LICMPhase::attemptHoist):
2311         * dfg/DFGNode.cpp:
2312         (JSC::DFG::Node::remove):
2313         * dfg/DFGNode.h:
2314         (JSC::DFG::Node::hasMatchStructureData):
2315         (JSC::DFG::Node::matchStructureData):
2316         * dfg/DFGNodeType.h:
2317         * dfg/DFGSafeToExecute.h:
2318         (JSC::DFG::safeToExecute):
2319         * dfg/DFGSpeculativeJIT.cpp:
2320         (JSC::DFG::SpeculativeJIT::compileMatchStructure):
2321         * dfg/DFGSpeculativeJIT.h:
2322         * dfg/DFGSpeculativeJIT32_64.cpp:
2323         (JSC::DFG::SpeculativeJIT::compile):
2324         * dfg/DFGSpeculativeJIT64.cpp:
2325         (JSC::DFG::SpeculativeJIT::compile):
2326         * ftl/FTLCapabilities.cpp:
2327         (JSC::FTL::canCompile):
2328         * ftl/FTLLowerDFGToB3.cpp:
2329         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2330         (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
2331
2332 2018-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2333
2334         [JSC] JSC should have consistent InById IC
2335         https://bugs.webkit.org/show_bug.cgi?id=185682
2336
2337         Reviewed by Filip Pizlo.
2338
2339         Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
2340         when we found that DFG::In's parameter is constant string. We should
2341         align this IC to the other ById ICs to clean up and remove adhoc code
2342         in DFG and FTL.
2343
2344         This patch cleans up our "In" IC by aligning it to the other ById ICs.
2345         We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
2346         is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
2347         to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
2348         has a inline access cache for own property case, which is the same to
2349         JITGetByIdGenerator.
2350
2351         And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
2352         to the original In DFG node. DFG AI attempts to lower InByVal to InById
2353         if AI figured out that the property name is a constant string. And in
2354         InById node, we use JITInByIdGenerator code.
2355
2356         This patch cleans up DFG and FTL's adhoc In IC code.
2357
2358         In a subsequent patch, we should introduce InByIdStatus to optimize
2359         InById in DFG and FTL. We would like to have a new InByIdStatus instead of
2360         reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
2361         AccessCase::Types are different from them (AccessCase::InHit / InMiss).
2362
2363         * bytecode/AccessCase.cpp:
2364         (JSC::AccessCase::fromStructureStubInfo):
2365         (JSC::AccessCase::generateWithGuard):
2366         * bytecode/BytecodeDumper.cpp:
2367         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
2368         (JSC::BytecodeDumper<Block>::dumpBytecode):
2369         * bytecode/BytecodeDumper.h:
2370         * bytecode/BytecodeList.json:
2371         * bytecode/BytecodeUseDef.h:
2372         (JSC::computeUsesForBytecodeOffset):
2373         (JSC::computeDefsForBytecodeOffset):
2374         * bytecode/CodeBlock.cpp:
2375         (JSC::CodeBlock::finishCreation):
2376         * bytecode/InlineAccess.cpp:
2377         (JSC::InlineAccess::generateSelfInAccess):
2378         * bytecode/InlineAccess.h:
2379         * bytecode/StructureStubInfo.cpp:
2380         (JSC::StructureStubInfo::initInByIdSelf):
2381         (JSC::StructureStubInfo::deref):
2382         (JSC::StructureStubInfo::aboutToDie):
2383         (JSC::StructureStubInfo::reset):
2384         (JSC::StructureStubInfo::visitWeakReferences):
2385         (JSC::StructureStubInfo::propagateTransitions):
2386         * bytecode/StructureStubInfo.h:
2387         (JSC::StructureStubInfo::patchableJump):
2388         * bytecompiler/BytecodeGenerator.cpp:
2389         (JSC::BytecodeGenerator::emitInByVal):
2390         (JSC::BytecodeGenerator::emitInById):
2391         (JSC::BytecodeGenerator::emitIn): Deleted.
2392         * bytecompiler/BytecodeGenerator.h:
2393         * bytecompiler/NodesCodegen.cpp:
2394         (JSC::InNode::emitBytecode):
2395         * dfg/DFGAbstractInterpreterInlines.h:
2396         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2397         * dfg/DFGByteCodeParser.cpp:
2398         (JSC::DFG::ByteCodeParser::parseBlock):
2399         * dfg/DFGCapabilities.cpp:
2400         (JSC::DFG::capabilityLevel):
2401         * dfg/DFGClobberize.h:
2402         (JSC::DFG::clobberize):
2403         * dfg/DFGConstantFoldingPhase.cpp:
2404         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2405         * dfg/DFGDoesGC.cpp:
2406         (JSC::DFG::doesGC):
2407         * dfg/DFGFixupPhase.cpp:
2408         (JSC::DFG::FixupPhase::fixupNode):
2409         * dfg/DFGJITCompiler.cpp:
2410         (JSC::DFG::JITCompiler::link):
2411         * dfg/DFGJITCompiler.h:
2412         (JSC::DFG::JITCompiler::addInById):
2413         (JSC::DFG::InRecord::InRecord): Deleted.
2414         (JSC::DFG::JITCompiler::addIn): Deleted.
2415         * dfg/DFGNode.h:
2416         (JSC::DFG::Node::convertToInById):
2417         (JSC::DFG::Node::hasIdentifier):
2418         (JSC::DFG::Node::hasArrayMode):
2419         * dfg/DFGNodeType.h:
2420         * dfg/DFGPredictionPropagationPhase.cpp:
2421         * dfg/DFGSafeToExecute.h:
2422         (JSC::DFG::safeToExecute):
2423         * dfg/DFGSpeculativeJIT.cpp:
2424         (JSC::DFG::SpeculativeJIT::compileInById):
2425         (JSC::DFG::SpeculativeJIT::compileInByVal):
2426         (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
2427         * dfg/DFGSpeculativeJIT.h:
2428         * dfg/DFGSpeculativeJIT32_64.cpp:
2429         (JSC::DFG::SpeculativeJIT::compile):
2430         * dfg/DFGSpeculativeJIT64.cpp:
2431         (JSC::DFG::SpeculativeJIT::compile):
2432         * ftl/FTLCapabilities.cpp:
2433         (JSC::FTL::canCompile):
2434         * ftl/FTLLowerDFGToB3.cpp:
2435         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2436         (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
2437         (JSC::FTL::DFG::LowerDFGToB3::compileInById):
2438         (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
2439         * jit/ICStats.h:
2440         * jit/JIT.cpp:
2441         (JSC::JIT::JIT):
2442         (JSC::JIT::privateCompileMainPass):
2443         (JSC::JIT::privateCompileSlowCases):
2444         (JSC::JIT::link):
2445         * jit/JIT.h:
2446         * jit/JITInlineCacheGenerator.cpp:
2447         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2448         (JSC::JITInByIdGenerator::generateFastPath):
2449         * jit/JITInlineCacheGenerator.h:
2450         (JSC::JITInByIdGenerator::JITInByIdGenerator):
2451         * jit/JITOperations.cpp:
2452         * jit/JITOperations.h:
2453         * jit/JITPropertyAccess.cpp:
2454         (JSC::JIT::emit_op_in_by_id):
2455         (JSC::JIT::emitSlow_op_in_by_id):
2456         * jit/JITPropertyAccess32_64.cpp:
2457         (JSC::JIT::emit_op_in_by_id):
2458         (JSC::JIT::emitSlow_op_in_by_id):
2459         * jit/Repatch.cpp:
2460         (JSC::tryCacheInByID):
2461         (JSC::repatchInByID):
2462         (JSC::resetInByID):
2463         (JSC::tryCacheIn): Deleted.
2464         (JSC::repatchIn): Deleted.
2465         (JSC::resetIn): Deleted.
2466         * jit/Repatch.h:
2467         * llint/LowLevelInterpreter.asm:
2468         * llint/LowLevelInterpreter64.asm:
2469         * parser/NodeConstructors.h:
2470         (JSC::InNode::InNode):
2471         * runtime/CommonSlowPaths.cpp:
2472         (JSC::SLOW_PATH_DECL):
2473         * runtime/CommonSlowPaths.h:
2474         (JSC::CommonSlowPaths::opInByVal):
2475         (JSC::CommonSlowPaths::opIn): Deleted.
2476
2477 2018-05-18  Commit Queue  <commit-queue@webkit.org>
2478
2479         Unreviewed, rolling out r231982.
2480         https://bugs.webkit.org/show_bug.cgi?id=185793
2481
2482         Caused layout test failures (Requested by realdawei on
2483         #webkit).
2484
2485         Reverted changeset:
2486
2487         "Complete fix for enabling modern EME by default"
2488         https://bugs.webkit.org/show_bug.cgi?id=185770
2489         https://trac.webkit.org/changeset/231982
2490
2491 2018-05-18  Keith Miller  <keith_miller@apple.com>
2492
2493         op_in should mark if it sees out of bounds accesses
2494         https://bugs.webkit.org/show_bug.cgi?id=185792
2495
2496         Reviewed by Filip Pizlo.
2497
2498         This would used to cause us to OSR loop since we would always speculate
2499         we were in bounds in HasIndexedProperty.
2500
2501         * bytecode/ArrayProfile.cpp:
2502         (JSC::ArrayProfile::observeIndexedRead):
2503         * bytecode/ArrayProfile.h:
2504         * runtime/CommonSlowPaths.h:
2505         (JSC::CommonSlowPaths::opIn):
2506
2507 2018-05-18  Mark Lam  <mark.lam@apple.com>
2508
2509         Add missing exception check.
2510         https://bugs.webkit.org/show_bug.cgi?id=185786
2511         <rdar://problem/35686560>
2512
2513         Reviewed by Michael Saboff.
2514
2515         * runtime/JSPropertyNameEnumerator.h:
2516         (JSC::propertyNameEnumerator):
2517
2518 2018-05-18  Jer Noble  <jer.noble@apple.com>
2519
2520         Complete fix for enabling modern EME by default
2521         https://bugs.webkit.org/show_bug.cgi?id=185770
2522         <rdar://problem/40368220>
2523
2524         Reviewed by Eric Carlson.
2525
2526         * Configurations/FeatureDefines.xcconfig:
2527
2528 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2529
2530         Unreviewed, fix exception checking, part 2
2531         https://bugs.webkit.org/show_bug.cgi?id=185350
2532
2533         * dfg/DFGOperations.cpp:
2534         (JSC::DFG::putByValInternal):
2535         * jit/JITOperations.cpp:
2536         * runtime/CommonSlowPaths.h:
2537         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2538
2539 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
2540
2541         JSC should have InstanceOf inline caching
2542         https://bugs.webkit.org/show_bug.cgi?id=185652
2543
2544         Reviewed by Saam Barati.
2545         
2546         This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
2547         existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
2548         too many cases, we emit the generic instanceof implementation instead.
2549         
2550         All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
2551         abstraction.
2552         
2553         This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
2554         Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
2555
2556         * API/tests/testapi.mm:
2557         (testObjectiveCAPIMain):
2558         * JavaScriptCore.xcodeproj/project.pbxproj:
2559         * Sources.txt:
2560         * b3/B3Effects.h:
2561         (JSC::B3::Effects::forReadOnlyCall):
2562         * bytecode/AccessCase.cpp:
2563         (JSC::AccessCase::guardedByStructureCheck const):
2564         (JSC::AccessCase::canReplace const):
2565         (JSC::AccessCase::visitWeak const):
2566         (JSC::AccessCase::generateWithGuard):
2567         (JSC::AccessCase::generateImpl):
2568         * bytecode/AccessCase.h:
2569         * bytecode/InstanceOfAccessCase.cpp: Added.
2570         (JSC::InstanceOfAccessCase::create):
2571         (JSC::InstanceOfAccessCase::dumpImpl const):
2572         (JSC::InstanceOfAccessCase::clone const):
2573         (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
2574         (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
2575         * bytecode/InstanceOfAccessCase.h: Added.
2576         (JSC::InstanceOfAccessCase::prototype const):
2577         * bytecode/ObjectPropertyCondition.h:
2578         (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
2579         (JSC::ObjectPropertyCondition::hasPrototype):
2580         * bytecode/ObjectPropertyConditionSet.cpp:
2581         (JSC::generateConditionsForInstanceOf):
2582         * bytecode/ObjectPropertyConditionSet.h:
2583         * bytecode/PolymorphicAccess.cpp:
2584         (JSC::PolymorphicAccess::addCases):
2585         (JSC::PolymorphicAccess::regenerate):
2586         (WTF::printInternal):
2587         * bytecode/PropertyCondition.cpp:
2588         (JSC::PropertyCondition::dumpInContext const):
2589         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2590         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2591         (WTF::printInternal):
2592         * bytecode/PropertyCondition.h:
2593         (JSC::PropertyCondition::absenceWithoutBarrier):
2594         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2595         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2596         (JSC::PropertyCondition::hasPrototype):
2597         (JSC::PropertyCondition::hasPrototype const):
2598         (JSC::PropertyCondition::prototype const):
2599         (JSC::PropertyCondition::hash const):
2600         (JSC::PropertyCondition::operator== const):
2601         * bytecode/StructureStubInfo.cpp:
2602         (JSC::StructureStubInfo::StructureStubInfo):
2603         (JSC::StructureStubInfo::reset):
2604         * bytecode/StructureStubInfo.h:
2605         (JSC::StructureStubInfo::considerCaching):
2606         * dfg/DFGByteCodeParser.cpp:
2607         (JSC::DFG::ByteCodeParser::parseBlock):
2608         * dfg/DFGFixupPhase.cpp:
2609         (JSC::DFG::FixupPhase::fixupNode):
2610         * dfg/DFGInlineCacheWrapper.h:
2611         * dfg/DFGInlineCacheWrapperInlines.h:
2612         (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize):
2613         * dfg/DFGJITCompiler.cpp:
2614         (JSC::DFG::JITCompiler::link):
2615         * dfg/DFGJITCompiler.h:
2616         (JSC::DFG::JITCompiler::addInstanceOf):
2617         * dfg/DFGOperations.cpp:
2618         * dfg/DFGSpeculativeJIT.cpp:
2619         (JSC::DFG::SpeculativeJIT::usedRegisters):
2620         (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
2621         (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2622         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
2623         * dfg/DFGSpeculativeJIT.h:
2624         * dfg/DFGSpeculativeJIT64.cpp:
2625         (JSC::DFG::SpeculativeJIT::cachedGetById):
2626         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2627         * ftl/FTLLowerDFGToB3.cpp:
2628         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2629         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2630         (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
2631         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2632         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2633         (JSC::FTL::DFG::LowerDFGToB3::getById):
2634         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
2635         * jit/ICStats.h:
2636         * jit/JIT.cpp:
2637         (JSC::JIT::privateCompileSlowCases):
2638         (JSC::JIT::link):
2639         * jit/JIT.h:
2640         * jit/JITInlineCacheGenerator.cpp:
2641         (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
2642         (JSC::JITInlineCacheGenerator::finalize):
2643         (JSC::JITByIdGenerator::JITByIdGenerator):
2644         (JSC::JITByIdGenerator::finalize):
2645         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2646         (JSC::JITInstanceOfGenerator::generateFastPath):
2647         (JSC::JITInstanceOfGenerator::finalize):
2648         * jit/JITInlineCacheGenerator.h:
2649         (JSC::JITInlineCacheGenerator::reportSlowPathCall):
2650         (JSC::JITInlineCacheGenerator::slowPathBegin const):
2651         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
2652         (JSC::finalizeInlineCaches):
2653         (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
2654         (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
2655         * jit/JITOpcodes.cpp:
2656         (JSC::JIT::emit_op_instanceof):
2657         (JSC::JIT::emitSlow_op_instanceof):
2658         * jit/JITOperations.cpp:
2659         * jit/JITOperations.h:
2660         * jit/JITPropertyAccess.cpp:
2661         (JSC::JIT::privateCompileGetByValWithCachedId):
2662         (JSC::JIT::privateCompilePutByValWithCachedId):
2663         * jit/RegisterSet.cpp:
2664         (JSC::RegisterSet::stubUnavailableRegisters):
2665         * jit/Repatch.cpp:
2666         (JSC::tryCacheIn):
2667         (JSC::tryCacheInstanceOf):
2668         (JSC::repatchInstanceOf):
2669         (JSC::resetPatchableJump):
2670         (JSC::resetIn):
2671         (JSC::resetInstanceOf):
2672         * jit/Repatch.h:
2673         * runtime/Options.h:
2674         * runtime/Structure.h:
2675
2676 2018-05-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2677
2678         Unreviewed, fix exception checking
2679         https://bugs.webkit.org/show_bug.cgi?id=185350
2680
2681         * runtime/CommonSlowPaths.h:
2682         (JSC::CommonSlowPaths::putDirectWithReify):
2683         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2684
2685 2018-05-17  Michael Saboff  <msaboff@apple.com>
2686
2687         We don't throw SyntaxErrors for runtime generated regular expressions with errors
2688         https://bugs.webkit.org/show_bug.cgi?id=185755
2689
2690         Reviewed by Keith Miller.
2691
2692         Added a new helper that creates the correct exception to throw for each type of error when
2693         compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
2694         where we create a new RegExp from an existing one.  Also refactored other places that we
2695         throw SyntaxErrors after a failed RegExp compile to use the new helper.
2696
2697         * runtime/RegExp.h:
2698         * runtime/RegExpConstructor.cpp:
2699         (JSC::regExpCreate):
2700         (JSC::constructRegExp):
2701         * runtime/RegExpPrototype.cpp:
2702         (JSC::regExpProtoFuncCompile):
2703         * yarr/YarrErrorCode.cpp:
2704         (JSC::Yarr::errorToThrow):
2705         * yarr/YarrErrorCode.h:
2706
2707 2018-05-17  Saam Barati  <sbarati@apple.com>
2708
2709         Remove shrinkFootprint test from apitests since it's flaky
2710         https://bugs.webkit.org/show_bug.cgi?id=185754
2711
2712         Reviewed by Mark Lam.
2713
2714         This test is flaky as it keeps failing on certain people's machines.
2715         Having a test about OS footprint seems like it'll forever be doomed
2716         to being flaky.
2717
2718         * API/tests/testapi.mm:
2719         (testObjectiveCAPIMain):
2720
2721 2018-05-17  Saam Barati  <sbarati@apple.com>
2722
2723         defaultConstructorSourceCode needs to makeSource every time it's called
2724         https://bugs.webkit.org/show_bug.cgi?id=185753
2725
2726         Rubber-stamped by Mark Lam.
2727
2728         The bug here is multiple VMs can be running concurrently to one another
2729         in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
2730         if we copy a static SourceCode. instead, we create a new one each time
2731         this function is called.
2732
2733         * builtins/BuiltinExecutables.cpp:
2734         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2735
2736 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2737
2738         [JSC] Use AssemblyHelpers' type checking functions as much as possible
2739         https://bugs.webkit.org/show_bug.cgi?id=185730
2740
2741         Reviewed by Saam Barati.
2742
2743         Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
2744         bit and register operations for type tagging of JSValue. It is really useful when we would like
2745         to tweak type tagging representation since the code is collected into AssemblyHelpers. And
2746         the named function is more readable than some branching operations.
2747
2748         We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
2749         to AssemblyHelpers' one.
2750
2751         We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
2752         functions even for 32bit environment. In 32bit environment, this function takes tag register. This
2753         semantics is aligned to the existing branchIfCell / branchIfNotCell.
2754
2755         * bytecode/AccessCase.cpp:
2756         (JSC::AccessCase::generateWithGuard):
2757         * dfg/DFGSpeculativeJIT.cpp:
2758         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2759         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2760         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2761         (JSC::DFG::SpeculativeJIT::compileSpread):
2762         (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
2763         (JSC::DFG::SpeculativeJIT::speculateCellType):
2764         (JSC::DFG::SpeculativeJIT::speculateNumber):
2765         (JSC::DFG::SpeculativeJIT::speculateMisc):
2766         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
2767         (JSC::DFG::SpeculativeJIT::compileCreateThis):
2768         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2769         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
2770         * dfg/DFGSpeculativeJIT32_64.cpp:
2771         (JSC::DFG::SpeculativeJIT::emitCall):
2772         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2773         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2774         (JSC::DFG::SpeculativeJIT::compile):
2775         * dfg/DFGSpeculativeJIT64.cpp:
2776         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2777         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
2778         (JSC::DFG::SpeculativeJIT::emitCall):
2779         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2780         (JSC::DFG::SpeculativeJIT::compile):
2781         (JSC::DFG::SpeculativeJIT::convertAnyInt):
2782         * ftl/FTLLowerDFGToB3.cpp:
2783         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2784         * jit/AssemblyHelpers.h:
2785         (JSC::AssemblyHelpers::branchIfInt32):
2786         (JSC::AssemblyHelpers::branchIfNotInt32):
2787         (JSC::AssemblyHelpers::branchIfNumber):
2788         (JSC::AssemblyHelpers::branchIfNotNumber):
2789         (JSC::AssemblyHelpers::branchIfBoolean):
2790         (JSC::AssemblyHelpers::branchIfNotBoolean):
2791         (JSC::AssemblyHelpers::branchIfEmpty):
2792         (JSC::AssemblyHelpers::branchIfNotEmpty):
2793         (JSC::AssemblyHelpers::branchIfUndefined):
2794         (JSC::AssemblyHelpers::branchIfNotUndefined):
2795         (JSC::AssemblyHelpers::branchIfNull):
2796         (JSC::AssemblyHelpers::branchIfNotNull):
2797         * jit/JIT.h:
2798         * jit/JITArithmetic.cpp:
2799         (JSC::JIT::emit_compareAndJump):
2800         (JSC::JIT::emit_compareAndJumpSlow):
2801         * jit/JITArithmetic32_64.cpp:
2802         (JSC::JIT::emit_compareAndJump):
2803         (JSC::JIT::emit_op_unsigned):
2804         (JSC::JIT::emit_op_inc):
2805         (JSC::JIT::emit_op_dec):
2806         (JSC::JIT::emitBinaryDoubleOp):
2807         (JSC::JIT::emit_op_mod):
2808         * jit/JITCall.cpp:
2809         (JSC::JIT::compileCallEval):
2810         (JSC::JIT::compileOpCall):
2811         * jit/JITCall32_64.cpp:
2812         (JSC::JIT::compileCallEval):
2813         (JSC::JIT::compileOpCall):
2814         * jit/JITInlines.h:
2815         (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
2816         (JSC::JIT::emitJumpIfBothJSCells):
2817         (JSC::JIT::emitJumpSlowCaseIfJSCell):
2818         (JSC::JIT::emitJumpIfNotInt):
2819         (JSC::JIT::emitJumpSlowCaseIfNotInt):
2820         (JSC::JIT::emitJumpSlowCaseIfNotNumber):
2821         (JSC::JIT::emitJumpIfCellObject): Deleted.
2822         (JSC::JIT::emitJumpIfCellNotObject): Deleted.
2823         (JSC::JIT::emitJumpIfJSCell): Deleted.
2824         (JSC::JIT::emitJumpIfInt): Deleted.
2825         * jit/JITOpcodes.cpp:
2826         (JSC::JIT::emit_op_instanceof):
2827         (JSC::JIT::emit_op_is_undefined):
2828         (JSC::JIT::emit_op_is_cell_with_type):
2829         (JSC::JIT::emit_op_is_object):
2830         (JSC::JIT::emit_op_to_primitive):
2831         (JSC::JIT::emit_op_jeq_null):
2832         (JSC::JIT::emit_op_jneq_null):
2833         (JSC::JIT::compileOpStrictEq):
2834         (JSC::JIT::compileOpStrictEqJump):
2835         (JSC::JIT::emit_op_to_number):
2836         (JSC::JIT::emit_op_to_string):
2837         (JSC::JIT::emit_op_to_object):
2838         (JSC::JIT::emit_op_eq_null):
2839         (JSC::JIT::emit_op_neq_null):
2840         (JSC::JIT::emit_op_to_this):
2841         (JSC::JIT::emit_op_create_this):
2842         (JSC::JIT::emit_op_check_tdz):
2843         (JSC::JIT::emitNewFuncExprCommon):
2844         (JSC::JIT::emit_op_profile_type):
2845         * jit/JITOpcodes32_64.cpp:
2846         (JSC::JIT::emit_op_instanceof):
2847         (JSC::JIT::emit_op_is_undefined):
2848         (JSC::JIT::emit_op_is_cell_with_type):
2849         (JSC::JIT::emit_op_is_object):
2850         (JSC::JIT::emit_op_to_primitive):
2851         (JSC::JIT::emit_op_not):
2852         (JSC::JIT::emit_op_jeq_null):
2853         (JSC::JIT::emit_op_jneq_null):
2854         (JSC::JIT::emit_op_jneq_ptr):
2855         (JSC::JIT::emit_op_eq):
2856         (JSC::JIT::emit_op_jeq):
2857         (JSC::JIT::emit_op_neq):
2858         (JSC::JIT::emit_op_jneq):
2859         (JSC::JIT::compileOpStrictEq):
2860         (JSC::JIT::compileOpStrictEqJump):
2861         (JSC::JIT::emit_op_eq_null):
2862         (JSC::JIT::emit_op_neq_null):
2863         (JSC::JIT::emit_op_to_number):
2864         (JSC::JIT::emit_op_to_string):
2865         (JSC::JIT::emit_op_to_object):
2866         (JSC::JIT::emit_op_create_this):
2867         (JSC::JIT::emit_op_to_this):
2868         (JSC::JIT::emit_op_check_tdz):
2869         (JSC::JIT::emit_op_profile_type):
2870         * jit/JITPropertyAccess.cpp:
2871         (JSC::JIT::emit_op_get_by_val):
2872         (JSC::JIT::emitGetByValWithCachedId):
2873         (JSC::JIT::emitGenericContiguousPutByVal):
2874         (JSC::JIT::emitPutByValWithCachedId):
2875         (JSC::JIT::emit_op_get_from_scope):
2876         (JSC::JIT::emit_op_put_to_scope):
2877         (JSC::JIT::emitWriteBarrier):
2878         (JSC::JIT::emitIntTypedArrayPutByVal):
2879         (JSC::JIT::emitFloatTypedArrayPutByVal):
2880         * jit/JITPropertyAccess32_64.cpp:
2881         (JSC::JIT::emit_op_get_by_val):
2882         (JSC::JIT::emitContiguousLoad):
2883         (JSC::JIT::emitArrayStorageLoad):
2884         (JSC::JIT::emitGetByValWithCachedId):
2885         (JSC::JIT::emitGenericContiguousPutByVal):
2886         (JSC::JIT::emitPutByValWithCachedId):
2887         (JSC::JIT::emit_op_get_from_scope):
2888         (JSC::JIT::emit_op_put_to_scope):
2889         * jit/JSInterfaceJIT.h:
2890         (JSC::JSInterfaceJIT::emitLoadJSCell):
2891         (JSC::JSInterfaceJIT::emitLoadInt32):
2892         (JSC::JSInterfaceJIT::emitLoadDouble):
2893         (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
2894         (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
2895         (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
2896         * jit/Repatch.cpp:
2897         (JSC::linkPolymorphicCall):
2898         * jit/ThunkGenerators.cpp:
2899         (JSC::virtualThunkFor):
2900         (JSC::absThunkGenerator):
2901         * tools/JSDollarVM.cpp:
2902         (WTF::DOMJITNode::checkSubClassSnippet):
2903         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2904
2905 2018-05-17  Saam Barati  <sbarati@apple.com>
2906
2907         Unreviewed. Fix the build after my attempted build fix broke the build.
2908
2909         * builtins/BuiltinExecutables.cpp:
2910         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2911         (JSC::BuiltinExecutables::createDefaultConstructor):
2912         * builtins/BuiltinExecutables.h:
2913
2914 2018-05-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2915
2916         [JSC] Remove reifyPropertyNameIfNeeded
2917         https://bugs.webkit.org/show_bug.cgi?id=185350
2918
2919         Reviewed by Saam Barati.
2920
2921         reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
2922         This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
2923         cost, we should remove this from the critical path.
2924
2925         This patch removes this function call from the critical path. And in our slow paths, we call
2926         helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
2927         While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
2928         and care the edge cases. The other callsites of putDirect should know the type of the given
2929         object and the name of the property (And avoid these edge cases).
2930
2931         This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
2932         regressions of the existing tests.
2933
2934                                            baseline                  patched
2935         Kraken:
2936             json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
2937
2938         SixSpeed:
2939             object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
2940
2941         * dfg/DFGOperations.cpp:
2942         (JSC::DFG::putByValInternal):
2943         (JSC::DFG::putByValCellInternal):
2944         * jit/JITOperations.cpp:
2945         * llint/LLIntSlowPaths.cpp:
2946         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2947         * runtime/ClassInfo.h:
2948         * runtime/CommonSlowPaths.h:
2949         (JSC::CommonSlowPaths::putDirectWithReify):
2950         (JSC::CommonSlowPaths::putDirectAccessorWithReify):
2951         * runtime/JSCell.cpp:
2952         (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
2953         * runtime/JSCell.h:
2954         * runtime/JSFunction.cpp:
2955         (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
2956         * runtime/JSFunction.h:
2957         * runtime/JSObject.cpp:
2958         (JSC::JSObject::putDirectAccessor):
2959         (JSC::JSObject::putDirectNonIndexAccessor):
2960         * runtime/JSObject.h:
2961         * runtime/JSObjectInlines.h:
2962         (JSC::JSObject::putDirectInternal):
2963
2964 2018-05-17  Saam Barati  <sbarati@apple.com>
2965
2966         Unreviewed. Try to fix windows build.
2967
2968         * builtins/BuiltinExecutables.cpp:
2969         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2970
2971 2018-05-16  Saam Barati  <sbarati@apple.com>
2972
2973         UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
2974         https://bugs.webkit.org/show_bug.cgi?id=185637
2975
2976         Reviewed by Keith Miller.
2977
2978         We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
2979         source code. However, we were only using this for default class constructors. There
2980         are only two types of default class constructors. This patch makes it so that
2981         we just store this information inside of a single bit, and ask for the source
2982         code as needed instead of holding it in a nullable field that is 24 bytes in size.
2983         
2984         This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
2985         This has the consequence of making it allocated out of a 160 byte size class
2986         instead of a 224 byte size class. This should bring down its memory footprint
2987         by ~40%.
2988
2989         * builtins/BuiltinExecutables.cpp:
2990         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2991         (JSC::BuiltinExecutables::createDefaultConstructor):
2992         (JSC::BuiltinExecutables::createExecutable):
2993         * builtins/BuiltinExecutables.h:
2994         * bytecode/UnlinkedFunctionExecutable.cpp:
2995         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2996         (JSC::UnlinkedFunctionExecutable::link):
2997         * bytecode/UnlinkedFunctionExecutable.h:
2998         * runtime/CodeCache.cpp:
2999         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3000
3001 2018-05-16  Saam Barati  <sbarati@apple.com>
3002
3003         VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
3004         https://bugs.webkit.org/show_bug.cgi?id=185707
3005
3006         Reviewed by Mark Lam.
3007
3008         * runtime/VM.cpp:
3009         (JSC::VM::shrinkFootprint):
3010
3011 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
3012
3013         [ESNext][BigInt] Implement support for "/" operation
3014         https://bugs.webkit.org/show_bug.cgi?id=183996
3015
3016         Reviewed by Yusuke Suzuki.
3017
3018         This patch is introducing the support for BigInt into divide
3019         operation int LLInt and JIT layers.
3020
3021         * dfg/DFGOperations.cpp:
3022         * runtime/CommonSlowPaths.cpp:
3023         (JSC::SLOW_PATH_DECL):
3024         * runtime/JSBigInt.cpp:
3025         (JSC::JSBigInt::divide):
3026         (JSC::JSBigInt::copy):
3027         (JSC::JSBigInt::unaryMinus):
3028         (JSC::JSBigInt::absoluteCompare):
3029         (JSC::JSBigInt::absoluteDivLarge):
3030         (JSC::JSBigInt::productGreaterThan):
3031         (JSC::JSBigInt::inplaceAdd):
3032         (JSC::JSBigInt::inplaceSub):
3033         (JSC::JSBigInt::inplaceRightShift):
3034         (JSC::JSBigInt::specialLeftShift):
3035         (JSC::JSBigInt::digit):
3036         (JSC::JSBigInt::setDigit):
3037         * runtime/JSBigInt.h:
3038
3039 2018-05-16  Saam Barati  <sbarati@apple.com>
3040
3041         Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
3042         https://bugs.webkit.org/show_bug.cgi?id=185670
3043
3044         Reviewed by Yusuke Suzuki.
3045
3046         This patch makes it so that we constant fold CheckTypeInfoFlags for
3047         ImplementsDefaultHasInstance inside of AI/constant folding. We constant
3048         fold in three ways:
3049         - When the incoming value is a constant, we just look at its inline type
3050         flags. Since those flags never change after an object is created, this
3051         is sound.
3052         - Based on the incoming value having a finite structure set. We just iterate
3053         all structures and ensure they have the bit set.
3054         - Based on speculated type. To do this, I split up SpecFunction into two
3055         subheaps where one is for functions that have the bit set, and one for
3056         functions that don't have the bit set. The latter is currently only comprised
3057         of JSBoundFunctions. To constant fold, we check that the incoming
3058         value only has the SpecFunction type with ImplementsDefaultHasInstance set.
3059
3060         * bytecode/SpeculatedType.cpp:
3061         (JSC::speculationFromClassInfo):
3062         * bytecode/SpeculatedType.h:
3063         * dfg/DFGAbstractInterpreterInlines.h:
3064         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3065         * dfg/DFGConstantFoldingPhase.cpp:
3066         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3067         * dfg/DFGSpeculativeJIT.cpp:
3068         (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
3069         * dfg/DFGStrengthReductionPhase.cpp:
3070         (JSC::DFG::StrengthReductionPhase::handleNode):
3071         * runtime/JSFunction.cpp:
3072         (JSC::JSFunction::JSFunction):
3073         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3074         * runtime/JSFunction.h:
3075         (JSC::JSFunction::assertTypeInfoFlagInvariants):
3076         * runtime/JSFunctionInlines.h:
3077         (JSC::JSFunction::JSFunction):
3078
3079 2018-05-16  Devin Rousso  <webkit@devinrousso.com>
3080
3081         Web Inspector: create a navigation item for toggling the overlay rulers/guides
3082         https://bugs.webkit.org/show_bug.cgi?id=185644
3083
3084         Reviewed by Matt Baker.
3085
3086         * inspector/protocol/OverlayTypes.json:
3087         * inspector/protocol/Page.json:
3088
3089 2018-05-16  Commit Queue  <commit-queue@webkit.org>
3090
3091         Unreviewed, rolling out r231845.
3092         https://bugs.webkit.org/show_bug.cgi?id=185702
3093
3094         it is breaking Apple High Sierra 32-bit JSC bot (Requested by
3095         caiolima on #webkit).
3096
3097         Reverted changeset:
3098
3099         "[ESNext][BigInt] Implement support for "/" operation"
3100         https://bugs.webkit.org/show_bug.cgi?id=183996
3101         https://trac.webkit.org/changeset/231845
3102
3103 2018-05-16  Filip Pizlo  <fpizlo@apple.com>
3104
3105         DFG models InstanceOf incorrectly
3106         https://bugs.webkit.org/show_bug.cgi?id=185694
3107
3108         Reviewed by Keith Miller.
3109         
3110         Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
3111         hoist it.
3112
3113         * dfg/DFGAbstractInterpreterInlines.h:
3114         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3115         * dfg/DFGClobberize.h:
3116         (JSC::DFG::clobberize):
3117         * dfg/DFGHeapLocation.cpp:
3118         (WTF::printInternal):
3119         * dfg/DFGHeapLocation.h:
3120         * dfg/DFGNodeType.h:
3121
3122 2018-05-16  Andy VanWagoner  <andy@vanwagoner.family>
3123
3124         Add support for Intl NumberFormat formatToParts
3125         https://bugs.webkit.org/show_bug.cgi?id=185375
3126
3127         Reviewed by Yusuke Suzuki.
3128
3129         Add flag for NumberFormat formatToParts. Implement formatToParts using
3130         unum_formatDoubleForFields. Because the fields are nested and come back
3131         in no guaranteed order, the simple algorithm to convert them to the
3132         desired format is roughly O(n^2). However, even with Number.MAX_VALUE
3133         it appears to perform well enough for the initial implementation. Another
3134         issue has been created to improve this algorithm.
3135
3136         This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
3137         on macOS, since only v57 is available.
3138
3139         * Configurations/FeatureDefines.xcconfig:
3140         * runtime/IntlNumberFormat.cpp:
3141         (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
3142         (JSC::IntlNumberFormat::partTypeString):
3143         (JSC::IntlNumberFormat::formatToParts):
3144         * runtime/IntlNumberFormat.h:
3145         * runtime/IntlNumberFormatPrototype.cpp:
3146         (JSC::IntlNumberFormatPrototype::create):
3147         (JSC::IntlNumberFormatPrototype::finishCreation):
3148         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
3149         * runtime/IntlNumberFormatPrototype.h:
3150         * runtime/Options.h:
3151
3152 2018-05-16  Caio Lima  <ticaiolima@gmail.com>
3153
3154         [ESNext][BigInt] Implement support for "/" operation
3155         https://bugs.webkit.org/show_bug.cgi?id=183996
3156
3157         Reviewed by Yusuke Suzuki.
3158
3159         This patch is introducing the support for BigInt into divide
3160         operation int LLInt and JIT layers.
3161
3162         * dfg/DFGOperations.cpp:
3163         * runtime/CommonSlowPaths.cpp:
3164         (JSC::SLOW_PATH_DECL):
3165         * runtime/JSBigInt.cpp:
3166         (JSC::JSBigInt::divide):
3167         (JSC::JSBigInt::copy):
3168         (JSC::JSBigInt::unaryMinus):
3169         (JSC::JSBigInt::absoluteCompare):
3170         (JSC::JSBigInt::absoluteDivLarge):
3171         (JSC::JSBigInt::productGreaterThan):
3172         (JSC::JSBigInt::inplaceAdd):
3173         (JSC::JSBigInt::inplaceSub):
3174         (JSC::JSBigInt::inplaceRightShift):
3175         (JSC::JSBigInt::specialLeftShift):
3176         (JSC::JSBigInt::digit):
3177         (JSC::JSBigInt::setDigit):
3178         * runtime/JSBigInt.h:
3179
3180 2018-05-16  Alberto Garcia  <berto@igalia.com>
3181
3182         [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
3183         https://bugs.webkit.org/show_bug.cgi?id=182622
3184
3185         Reviewed by Michael Catanzaro.
3186
3187         We were linking JavaScriptCore against libatomic in MIPS because
3188         in that architecture __atomic_fetch_add_8() is not a compiler
3189         intrinsic and is provided by that library instead. However other
3190         architectures (e.g armel) are in the same situation, so we need a
3191         generic test.
3192
3193         That test already exists in WebKit/CMakeLists.txt, so we just have
3194         to move it to a common file (WebKitCompilerFlags.cmake) and use
3195         its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
3196
3197         * CMakeLists.txt:
3198
3199 2018-05-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3200
3201         [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
3202         https://bugs.webkit.org/show_bug.cgi?id=185601
3203
3204         Reviewed by Saam Barati.
3205
3206         Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
3207         before calling getCallData when we would like to check whether a given object is callable
3208         since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
3209         is fine. But if we would like to check whether the object is callable, we can have non
3210         callable objects frequently. In that case, we should not call getCallData if we can avoid it.
3211
3212         To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
3213         and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
3214         OverridesGetCallData checking before calling getCallData.
3215
3216         We found that this virtual call exists in JSON.stringify's critial path. Checking
3217         OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
3218
3219                                                baseline                  patched
3220
3221             json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
3222
3223         In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
3224         since major cases are covered by this fast JSFunctionType checking.
3225
3226         * API/JSCallbackObject.h:
3227         * dfg/DFGAbstractInterpreterInlines.h:
3228         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3229         * dfg/DFGOperations.cpp:
3230         * dfg/DFGSpeculativeJIT.cpp:
3231         (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
3232         (JSC::DFG::SpeculativeJIT::compileIsFunction):
3233         * ftl/FTLLowerDFGToB3.cpp:
3234         (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
3235         * jit/AssemblyHelpers.h:
3236         (JSC::AssemblyHelpers::emitTypeOf):
3237         * runtime/ExceptionHelpers.cpp:
3238         (JSC::createError):
3239         (JSC::createInvalidFunctionApplyParameterError):
3240         * runtime/FunctionPrototype.cpp:
3241         (JSC::functionProtoFuncToString):
3242         * runtime/InternalFunction.h:
3243         * runtime/JSCJSValue.h:
3244         * runtime/JSCJSValueInlines.h:
3245         (JSC::JSValue::isFunction const):
3246         (JSC::JSValue::isCallable const):
3247         * runtime/JSCell.h:
3248         * runtime/JSCellInlines.h:
3249         (JSC::JSCell::isFunction):
3250         ALWAYS_INLINE works well for my environment.
3251         (JSC::JSCell::isCallable):
3252         * runtime/JSFunction.h:
3253         * runtime/JSONObject.cpp:
3254         (JSC::Stringifier::toJSON):
3255         (JSC::Stringifier::toJSONImpl):
3256         (JSC::Stringifier::appendStringifiedValue):
3257         * runtime/JSObjectInlines.h:
3258         (JSC::createListFromArrayLike):
3259         * runtime/JSTypeInfo.h:
3260         (JSC::TypeInfo::overridesGetCallData const):
3261         (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
3262         * runtime/Operations.cpp:
3263         (JSC::jsTypeStringForValue):
3264         (JSC::jsIsObjectTypeOrNull):
3265         * runtime/ProxyObject.h:
3266         * runtime/RuntimeType.cpp:
3267         (JSC::runtimeTypeForValue):
3268         * runtime/RuntimeType.h:
3269         * runtime/Structure.cpp:
3270         (JSC::Structure::Structure):
3271         * runtime/TypeProfilerLog.cpp:
3272         (JSC::TypeProfilerLog::TypeProfilerLog):
3273         (JSC::TypeProfilerLog::processLogEntries):
3274         * runtime/TypeProfilerLog.h:
3275         * runtime/VM.cpp:
3276         (JSC::VM::enableTypeProfiler):
3277         * tools/JSDollarVM.cpp:
3278         (JSC::functionFindTypeForExpression):
3279         (JSC::functionReturnTypeFor):
3280         (JSC::functionHasBasicBlockExecuted):
3281         (JSC::functionBasicBlockExecutionCount):
3282         * wasm/js/JSWebAssemblyHelpers.h:
3283         (JSC::getWasmBufferFromValue):
3284         * wasm/js/JSWebAssemblyInstance.cpp:
3285         (JSC::JSWebAssemblyInstance::create):
3286         * wasm/js/WebAssemblyFunction.cpp:
3287         (JSC::callWebAssemblyFunction):
3288         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3289         (JSC::constructJSWebAssemblyInstance):
3290         * wasm/js/WebAssemblyModuleRecord.cpp:
3291         (JSC::WebAssemblyModuleRecord::link):
3292         * wasm/js/WebAssemblyPrototype.cpp:
3293         (JSC::webAssemblyInstantiateFunc):
3294         (JSC::webAssemblyInstantiateStreamingInternal):
3295         * wasm/js/WebAssemblyWrapperFunction.cpp:
3296         (JSC::WebAssemblyWrapperFunction::finishCreation):
3297
3298 2018-05-15  Devin Rousso  <webkit@devinrousso.com>
3299
3300         Web Inspector: Add rulers and guides
3301         https://bugs.webkit.org/show_bug.cgi?id=32263
3302         <rdar://problem/19281564>
3303
3304         Reviewed by Matt Baker.
3305
3306         * inspector/protocol/OverlayTypes.json:
3307
3308 2018-05-14  Keith Miller  <keith_miller@apple.com>
3309
3310         Remove butterflyMask from DFGAbstractHeap
3311         https://bugs.webkit.org/show_bug.cgi?id=185640
3312
3313         Reviewed by Saam Barati.
3314
3315         We don't have a butterfly indexing mask anymore so we don't need
3316         the abstract heap information for it anymore.
3317
3318         * dfg/DFGAbstractHeap.h:
3319         * dfg/DFGClobberize.h:
3320         (JSC::DFG::clobberize):
3321
3322 2018-05-14  Andy VanWagoner  <andy@vanwagoner.family>
3323
3324         [INTL] Handle error in defineProperty for supported locales length
3325         https://bugs.webkit.org/show_bug.cgi?id=185623
3326
3327         Reviewed by Saam Barati.
3328
3329         Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
3330         length of the supported locales array.
3331
3332         * runtime/IntlObject.cpp:
3333         (JSC::supportedLocales):
3334
3335 2018-05-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3336
3337         [JSC] Tweak LiteralParser to improve lexing performance
3338         https://bugs.webkit.org/show_bug.cgi?id=185541
3339
3340         Reviewed by Saam Barati.
3341
3342         This patch attemps to improve LiteralParser performance.
3343
3344         This patch improves Kraken/json-parse-financial by roughly ~10%.
3345                                            baseline                  patched
3346
3347             json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
3348
3349         * parser/Lexer.cpp:
3350         (JSC::Lexer<T>::Lexer):
3351         * runtime/ArgList.h:
3352         (JSC::MarkedArgumentBuffer::takeLast):
3353         Add takeLast() for idiomatic last() + removeLast() calls.
3354
3355         * runtime/LiteralParser.cpp:
3356         (JSC::LiteralParser<CharType>::Lexer::lex):
3357         Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
3358         We should not include this mode in its template parameter to reduce the code size.
3359         And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
3360         Also, we construct TokenType table to remove bunch of unnecessary switch cases.
3361
3362         (JSC::LiteralParser<CharType>::Lexer::next):
3363         (JSC::isSafeStringCharacter):
3364         Take mode in its template parameter. But do not take terminator character in its template parameter.
3365
3366         (JSC::LiteralParser<CharType>::Lexer::lexString):
3367         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
3368         Duplicate while statements manually since this is a critical path.
3369
3370         (JSC::LiteralParser<CharType>::parse):
3371         Use takeLast().
3372
3373         * runtime/LiteralParser.h:
3374
3375 2018-05-14  Dominik Infuehr  <dinfuehr@igalia.com>
3376
3377         [MIPS] Use btpz to compare against 0 instead of bpeq
3378         https://bugs.webkit.org/show_bug.cgi?id=185607
3379
3380         Reviewed by Yusuke Suzuki.
3381
3382         Fixes build on MIPS since MIPS doesn't have an instruction to
3383         compare a register against an immediate. Since the immediate is just 0
3384         in this case the simplest solution is just to use btpz instead of bpeq